Skip to content

JWT JTI Attribute #6043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kfox1111 opened this issue May 1, 2025 · 6 comments
Open

JWT JTI Attribute #6043

kfox1111 opened this issue May 1, 2025 · 6 comments
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog

Comments

@kfox1111
Copy link
Contributor

kfox1111 commented May 1, 2025

When federating with some other IDP's, they treat the optional JTI field as non optional. It looks like a very easy field we could add for compatibility. It just needs to be unique per token. Looks like some folks just use a sufficiently sized random number.
@sorindumitru sorindumitru added the triage/in-progress Issue triage is in progress label May 6, 2025
@maia-iyer
Copy link

Can confirm this is currently a requirement from Keycloak's built-in JWT authenticator, and would love for this feature to be implemented!

@MarcosDY
Copy link
Collaborator

MarcosDY commented May 6, 2025

Could you clarify which IDPs specifically require the JTI field? It would help us understand the compatibility needs better.

Regarding enabling this feature, would the following options make sense?

Globally: applied to all entries
Individually: configurable per entry
Selectively: based on certain fields (e.g., specific selectors)

Let us know what level of granularity you think is needed.

@kfox1111
Copy link
Contributor Author

kfox1111 commented May 6, 2025

Keycloak for sure.

Its in the standard, so always adding it should work I think. but maybe on or off globally might be ok. cant think of a reason it needs to be per workload.

@sorindumitru
Copy link
Collaborator

Do you happen to have some links to documentation from Keycloak about how they use this?

One thing I'm concerned about is how this would interact with the agent cache. If a system uses the JTI as a form of replay protection the agent has no way of knowing that the token is "used up" and will continue to return it from the cache. Workloads won't have any way of controling this.

We need to see if adding support for the JTI claims needs any changes to how those tokens are cached. This might inform how we enable this, globally or at the entry/workload level.

@kfox1111
Copy link
Contributor Author

I dont. The behavior of JTI should be defined in the rfc though here: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7

@sorindumitru
Copy link
Collaborator

We discussed this a bit today. Due to the JTI being used to for replay protection (i.e. only accept a specific JTI value once), we probably need to make sure that the agent doesn't cache SVIDs that have it set. This would be easier done with a flag on the entry, since this allows for configuring the, potentially fewer, workloads that need a JTI to have it in their JWTs and also bypass the agent cache while allowing other workloads to benefit from the cache.

@sorindumitru sorindumitru added help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog and removed triage/in-progress Issue triage is in progress labels May 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sorindumitru @kfox1111 @MarcosDY @maia-iyer