Is there a way to prevent ServiceNow from adding a "jti" value to JWT requests?

Paul Bloem · ‎08-11-2022

There is an OAuth API that we need to connect to from our instance using JWT. When I set up the JWT claims, I include the standard ones (iss, sub, aud) and the "iat" and "exp" values are added automatically which is great. However, the system also includes a "jti" value in the payload that is causing the token request to fail.

An example payload:

{
"sub": "<sub_value>",
"aud": "<aud_value>",
"iss": "<iss_value>",
"exp": 1660216142,
"iat": 1660216082,
"jti": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Is anyone aware of a way to prevent that "jti" value from being added? I see that ServiceNow can be configured to ignore it for incoming requests, but it seems the addition of the value is happening in a Java library (sn_auth) that we can't access.

Thanks in advance.

Yousaf · ‎08-11-2022

Hi,

Found this answer. not from servicenow for reference will share the link below.

GenerateJWT always produces a jti claim in the issued JWT.

If you need no jti at all, you can use GenerateJWS. GenerateJWS can sign any payload; you need to pass in JSON in order to generate a JWT. Take care to assemble your claims correctly.

Reference: Exclude jti from JWT token generaion

Mark Correct or Helpful if it helps.

***Mark Correct or Helpful if it helps.***

Paul Bloem · ‎08-11-2022

Hi Yousaf, thank you for the reply!

Unfortunately, in this case:

While I do think this would allow me to generate a valid token, there is no "GenerateJWS" function exposed by the sn_auth library, so I can't test that.
When using ServiceNow's built in JWT functionality, I don't see a way to adjust the code that is being used. Even if GenerateJWS would work to create a token in a background script, we don't have access to make the OOB JWT process use that function.