From ab04428463518d05594491ca159f5ab0d7575721 Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Mon, 6 May 2024 07:31:42 +0300 Subject: Add `jti` claim Have each JWT token have a `jti` claim (JWT ID) to help with tracking refreshes, and therefore validity of the JWTs. If a refresh token is used more than once, then that refresh token, and all its progeny/descendants are considered invalid, since that token could have been stolen. --- gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py index 8e2f082..5e12575 100644 --- a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py +++ b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py @@ -1,4 +1,6 @@ """JWT as Authorisation Grant""" +import uuid + from flask import current_app as app from authlib.common.security import generate_token @@ -28,7 +30,9 @@ class JWTBearerTokenGenerator(_JWTBearerTokenGenerator): key: str(value) if key.endswith("_id") else value for key, value in tokendata.items() }, - "sub": str(tokendata["sub"])} + "sub": str(tokendata["sub"]), + "jti": str(uuid.uuid4()) + } def __call__(self, grant_type, client, user=None, scope=None, @@ -54,6 +58,10 @@ class JWTBearerGrant(_JWTBearerGrant): """Implement JWT as Authorisation Grant.""" TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_post", "client_secret_jwt"] + CLAIMS_OPTIONS = { + **_JWTBearerGrant.CLAIMS_OPTIONS, + "jti": {"essential": True} + } def resolve_issuer_client(self, issuer): -- cgit v1.2.3