From ab04428463518d05594491ca159f5ab0d7575721 Mon Sep 17 00:00:00 2001
From: Frederick Muriuki Muriithi
Date: Mon, 6 May 2024 07:31:42 +0300
Subject: Add `jti` claim

Have each JWT token have a `jti` claim (JWT ID) to help with tracking
refreshes, and therefore validity of the JWTs.

If a refresh token is used more than once, then that refresh token,
and all its progeny/descendants are considered invalid, since that
token could have been stolen.
---
 gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'gn_auth')

diff --git a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py
index 8e2f082..5e12575 100644
--- a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py
+++ b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py
@@ -1,4 +1,6 @@
 """JWT as Authorisation Grant"""
+import uuid
+
 from flask import current_app as app
 
 from authlib.common.security import generate_token
@@ -28,7 +30,9 @@ class JWTBearerTokenGenerator(_JWTBearerTokenGenerator):
                 key: str(value) if key.endswith("_id") else value
                 for key, value in tokendata.items()
             },
-            "sub": str(tokendata["sub"])}
+            "sub": str(tokendata["sub"]),
+            "jti": str(uuid.uuid4())
+        }
 
 
     def __call__(self, grant_type, client, user=None, scope=None,
@@ -54,6 +58,10 @@ class JWTBearerGrant(_JWTBearerGrant):
     """Implement JWT as Authorisation Grant."""
 
     TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_post", "client_secret_jwt"]
+    CLAIMS_OPTIONS = {
+        **_JWTBearerGrant.CLAIMS_OPTIONS,
+        "jti": {"essential": True}
+    }
 
 
     def resolve_issuer_client(self, issuer):
-- 
cgit v1.2.3