From 8f2ea490adbfa00486524b443d8d7e6289224d98 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Wed, 18 Oct 2023 16:28:39 -0400 Subject: [PATCH] Add jti claim to generated JWT Closes gh-1360 --- .../oauth2/server/authorization/token/JwtGenerator.java | 4 +++- .../oauth2/server/authorization/token/JwtGeneratorTests.java | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java index 94ba32e3..84247b54 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java @@ -19,6 +19,7 @@ import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Collections; import java.util.Date; +import java.util.UUID; import org.springframework.lang.Nullable; import org.springframework.security.core.session.SessionInformation; @@ -112,7 +113,8 @@ public final class JwtGenerator implements OAuth2TokenGenerator { .subject(context.getPrincipal().getName()) .audience(Collections.singletonList(registeredClient.getClientId())) .issuedAt(issuedAt) - .expiresAt(expiresAt); + .expiresAt(expiresAt) + .id(UUID.randomUUID().toString()); if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) { claimsBuilder.notBefore(issuedAt); if (!CollectionUtils.isEmpty(context.getAuthorizedScopes())) { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/token/JwtGeneratorTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/token/JwtGeneratorTests.java index fc1a7ba6..07deda57 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/token/JwtGeneratorTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/token/JwtGeneratorTests.java @@ -318,6 +318,7 @@ public class JwtGeneratorTests { } assertThat(jwtClaimsSet.getIssuedAt()).isBetween(issuedAt.minusSeconds(1), issuedAt.plusSeconds(1)); assertThat(jwtClaimsSet.getExpiresAt()).isBetween(expiresAt.minusSeconds(1), expiresAt.plusSeconds(1)); + assertThat(jwtClaimsSet.getId()).isNotNull(); if (tokenContext.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN)) { assertThat(jwtClaimsSet.getNotBefore()).isBetween(issuedAt.minusSeconds(1), issuedAt.plusSeconds(1));