jti
Registry Context
`jti` is the JWT ID claim and is registered by JAR as an OAuth authorization request parameter. It is an optional, case-sensitive string that uniquely identifies a JWT. Its assignment must make accidental reuse for another data object negligibly likely.
Technical Summary
RFC 7519 defines `jti` as a case-sensitive string containing a unique JWT identifier. RFC 9101 registers it for use in authorization requests because Request Object parameters are represented as JWT claims. Parameter names and string values in a Request Object must be JSON strings encoded using UTF-8.
When Used
As the `jti` claim in a JWT, including a JWT Request Object used for an OAuth 2.0 JWT-Secured Authorization Request.
Normative Requirements
Requests
RFC 9101 - Section 4
Contain all parameters, including extension parameters, used to process the OAuth 2.0 authorization request except `request` and `request_uri`..
Condition: When used to provide OAuth 2.0 authorization request parameters.
It MUST contain all the parameters ... used to process the OAuth 2.0 authorization request except the request and request_uri parameters.
RFC 9101 - Section 4
Represent the `jti` parameter name and its string value as JSON strings..
Condition: When `jti` is included in a Request Object.
Parameter names and string values MUST be included as JSON strings.
RFC 9101 - Section 4
Encode the JSON strings for the `jti` parameter name and value using UTF-8..
Condition: When `jti` is included in a Request Object.
these JSON strings MUST be encoded using UTF-8
Application using multiple issuers
RFC 7519 - Section 4.1.7
Prevent collisions among `jti` values produced by different issuers..
Condition: When the application uses multiple JWT issuers.
collisions MUST be prevented among values produced by different issuers
JWT issuer
RFC 7519 - Section 4.1.7
Assign the `jti` value so that the probability of accidentally assigning the same value to a different data object is negligible..
Condition: When a JWT includes the `jti` claim.
The identifier value MUST be assigned in a manner that ensures a negligible probability of accidental reuse.
RFC 7519 - Section 4.1.7
Include the `jti` claim..
Condition: When creating a JWT.
Use of this claim is OPTIONAL.
Validation Guidance
Verify that the `jti` assignment strategy makes accidental reuse for a different data object negligibly likely.
In multi-issuer deployments, verify that `jti` collisions are prevented among values produced by different issuers.
Allow `jti` to be omitted unless another applicable profile requires it.
For a Request Object containing `jti`, verify that all authorization request parameters used for processing are present except `request` and `request_uri`.
Verify that the `jti` name and value are JSON strings encoded using UTF-8.
Security Notes
RFC 7519 - Section 4.1.7
The `jti` claim can be used to prevent JWT replay.
RFC 9101 - Section 9.1
RFC 9101 registers core JWT claims as OAuth authorization request parameters to prevent future OAuth extensions from assigning them different meanings in Request Objects.
Reference
Details
- Entry Id
jti- Name
jti- Parameter Usage Location
authorization request- Change Controller
IETF- Reference
RFC7519 - Section 4.1.7, RFC9101