oauth2.dev

jti

IETF

Registry Context

`jti` is the JWT ID claim and is registered by JAR as an OAuth authorization request parameter. It is an optional, case-sensitive string that uniquely identifies a JWT. Its assignment must make accidental reuse for another data object negligibly likely.

Technical Summary

RFC 7519 defines `jti` as a case-sensitive string containing a unique JWT identifier. RFC 9101 registers it for use in authorization requests because Request Object parameters are represented as JWT claims. Parameter names and string values in a Request Object must be JSON strings encoded using UTF-8.

When Used

As the `jti` claim in a JWT, including a JWT Request Object used for an OAuth 2.0 JWT-Secured Authorization Request.

Normative Requirements

Requests

MUST
3
  1. RFC 9101 - Section 4

    Contain all parameters, including extension parameters, used to process the OAuth 2.0 authorization request except `request` and `request_uri`..

    Condition: When used to provide OAuth 2.0 authorization request parameters.

    It MUST contain all the parameters ... used to process the OAuth 2.0 authorization request except the request and request_uri parameters.

  2. RFC 9101 - Section 4

    Represent the `jti` parameter name and its string value as JSON strings..

    Condition: When `jti` is included in a Request Object.

    Parameter names and string values MUST be included as JSON strings.

  3. RFC 9101 - Section 4

    Encode the JSON strings for the `jti` parameter name and value using UTF-8..

    Condition: When `jti` is included in a Request Object.

    these JSON strings MUST be encoded using UTF-8

Application using multiple issuers

MUST
1
  1. RFC 7519 - Section 4.1.7

    Prevent collisions among `jti` values produced by different issuers..

    Condition: When the application uses multiple JWT issuers.

    collisions MUST be prevented among values produced by different issuers

JWT issuer

MUST
1
  1. RFC 7519 - Section 4.1.7

    Assign the `jti` value so that the probability of accidentally assigning the same value to a different data object is negligible..

    Condition: When a JWT includes the `jti` claim.

    The identifier value MUST be assigned in a manner that ensures a negligible probability of accidental reuse.

OPTIONAL
1
  1. RFC 7519 - Section 4.1.7

    Include the `jti` claim..

    Condition: When creating a JWT.

    Use of this claim is OPTIONAL.

Validation Guidance

error

Verify that the `jti` assignment strategy makes accidental reuse for a different data object negligibly likely.

error

In multi-issuer deployments, verify that `jti` collisions are prevented among values produced by different issuers.

info

Allow `jti` to be omitted unless another applicable profile requires it.

error

For a Request Object containing `jti`, verify that all authorization request parameters used for processing are present except `request` and `request_uri`.

error

Verify that the `jti` name and value are JSON strings encoded using UTF-8.

Security Notes

RFC 7519 - Section 4.1.7

The `jti` claim can be used to prevent JWT replay.

RFC 9101 - Section 9.1

RFC 9101 registers core JWT claims as OAuth authorization request parameters to prevent future OAuth extensions from assigning them different meanings in Request Objects.

Reference

Details

Entry Id
jti
Name
jti
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC7519 - Section 4.1.7, RFC9101