From 8f9cb671c6caa8475a411e223c68056f5424e8de Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Thu, 30 Sep 2021 15:38:23 +0200
Subject: [PATCH] fix: set jwt ID for client assertion to prevent token replay

---
 pkg/config/assertion.go | 2 ++
 pkg/token/token.go      | 1 +
 2 files changed, 3 insertions(+)

diff --git a/pkg/config/assertion.go b/pkg/config/assertion.go
index 313de8b..c763ce7 100644
--- a/pkg/config/assertion.go
+++ b/pkg/config/assertion.go
@@ -2,6 +2,7 @@ package config
 
 import (
 	"encoding/json"
+	"github.com/google/uuid"
 	"github.com/nais/wonderwall/pkg/token"
 	"gopkg.in/square/go-jose.v2"
 	"time"
@@ -31,6 +32,7 @@ func (cfg *IDPorten) SignedJWTProfileAssertion(expiration time.Duration) (string
 		Scopes:    token.ScopeOpenID,
 		ExpiresAt: exp.Unix(),
 		IssuedAt:  iat.Unix(),
+		JwtID:     uuid.New().String(),
 	}
 
 	payload, err := json.Marshal(jwtRequest)
diff --git a/pkg/token/token.go b/pkg/token/token.go
index d207f3f..8a2f72e 100644
--- a/pkg/token/token.go
+++ b/pkg/token/token.go
@@ -20,6 +20,7 @@ type JWTTokenRequest struct {
 	Audience  string `json:"aud"`
 	IssuedAt  int64  `json:"iat"`
 	ExpiresAt int64  `json:"exp"`
+	JwtID     string `json:"jti"`
 }
 
 type IDToken struct {