[
https://issues.apache.org/jira/browse/NIFI-14618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17955326#comment-17955326
]
ASF subversion and git services commented on NIFI-14618:
--------------------------------------------------------
Commit 586120bce11064c5333c2b286d0d613e282c27e3 in nifi's branch
refs/heads/main from Peter Turcsanyi
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=586120bce1 ]
NIFI-14618 Fixed JWT ID evaluation in JWTBearerOAuth2AccessTokenProvider
Signed-off-by: Pierre Villard <[email protected]>
This closes #9980.
> JWTBearerOAuth2AccessTokenProvider should evaluate JWT ID property per token
> request
> ------------------------------------------------------------------------------------
>
> Key: NIFI-14618
> URL: https://issues.apache.org/jira/browse/NIFI-14618
> Project: Apache NiFi
> Issue Type: Bug
> Reporter: Peter Turcsanyi
> Assignee: Peter Turcsanyi
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The purpose of the JWT ID property is to provide a value for the "jti" claim
> in the token request, which should be a unique identifier for the request. It
> can be used by OAuth servers to detect replay attacks.
> Though it is possible to configure the JWT ID property with EL like
> ${UUID()}, it is evaluated only once in onEnabled() and the same value is
> used in the requests which can lead to
> {noformat}
> HTTP 400
> Response: [{"error":"invalid_client","error_description":"Client
> authentication with signed JWT failed: Token reuse detected"}]{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
