oauth2.dev

jti

IESG

Registry Context

`jti` is an optional string identifier for the token in an OAuth token introspection response.

Technical Summary

RFC 7662 defines `jti` as an optional top-level introspection response member containing a string identifier for the token, with its semantics defined by the JWT `jti` claim.

When Used

When the authorization server includes a token identifier in an introspection response.

Normative Requirements

Authorization servers

OPTIONAL
1
  1. RFC 7662 - Section 2.2

    include a top-level `jti` member containing a string identifier for the token.

    Condition: when returning an introspection response

    `jti` OPTIONAL. String identifier for the token, as defined in JWT [RFC7519].

Application using multiple issuers

MUST
1
  1. RFC 7519 - Section 4.1.7

    prevent collisions among identifier values produced by different issuers.

    Condition: if the application uses multiple issuers

    if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well.

Entity assigning the identifier

MUST
1
  1. RFC 7519 - Section 4.1.7

    assign the identifier so that there is a negligible probability of accidentally assigning the same value to a different data object.

    The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object.

Validation Guidance

error

If `jti` is present, verify that its value is a string.

error

Ensure assigned `jti` values have a negligible probability of accidental collision.

error

If multiple issuers are in scope, verify that `jti` collisions are prevented across issuers.

error

Treat the `jti` value as case-sensitive when storing or comparing it.

Reference

Details

Entry Id
jti
Name
jti
Description
Unique identifier of the token
Change Controller
IESG
Reference
RFC7662 - Section 2.2