Solved: Exclude jti from JWT token generaion - Page 2

sivaramappali · 07-19-2020 03:26 PM

Hello,

We have a use case of generating JWT tokens in Apigee with a private key, digest, digestAlgorithm as Additional Claims and x5c certificate as Additional Header and pass it to backend target for its validation and further processing of request.

Please see below for the policy configuration.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<GenerateJWT async="false" continueOnError="false" enabled="true" name="Generate-JWT">
    <DisplayName>Generate JWT</DisplayName>
    
    <Algorithm>RS256</Algorithm>
    
    <PrivateKey>
        <Value ref="private.privatekey"/>
    </PrivateKey>

    <AdditionalClaims>
        <Claim name="digest" ref="signData"/>
        <Claim name="digestAlgorithm" type="string">SHA-256</Claim>
    </AdditionalClaims>

    <AdditionalHeaders>
        <Claim name="x5c" ref="private.cert"/>
    </AdditionalHeaders>

    <OutputVariable>jwt-token</OutputVariable>

</GenerateJWT>

Resulting jwt token contains a "jti" claim which unfortunately is being rejected by backend target. Is there a way or workaround I can exclude the "jti" claim from token generation? Though I believe it should not be checked for by the backend target, unfortunately it is checking this and rejecting the tokens.

Thanks,

SivaRam Appali

dchiesa1

GenerateJWT always produces a jti claim in the issued JWT.

If you need no jti at all, you can use GenerateJWS. GenerateJWS can sign any payload; you need to pass in JSON in order to generate a JWT. Take care to assemble your claims correctly.

View solution in original post