Skip to content

Add jwt_svid_include_jti to Entry.AdditionalAttributes#95

Merged
sorindumitru merged 1 commit into
spiffe:nextfrom
srikalyan:feature/jwt-jti-include
Apr 28, 2026
Merged

Add jwt_svid_include_jti to Entry.AdditionalAttributes#95
sorindumitru merged 1 commit into
spiffe:nextfrom
srikalyan:feature/jwt-jti-include

Conversation

@srikalyan
Copy link
Copy Markdown

@srikalyan srikalyan commented Apr 21, 2026

Summary

Adds a new bool jwt_svid_include_jti field to Entry.AdditionalAttributes (field number 2, scoped inside the nested sub-message introduced by #88).

When set to true on a registration entry, SPIRE:

  • Includes a freshly generated UUID in the jti claim of every JWT-SVID minted for the entry.
  • Bypasses the agent's JWT-SVID cache so every request yields a new token.

This supports use cases that require per-token uniqueness, such as replay protection or auditing.

Background

This replaces the prior approach (an enum + per-audience policy map, previously proposed in #84) with a single boolean, following upstream feedback from @sorindumitru. The corresponding SPIRE PR is spiffe/spire#6514.

Test plan

  • make generate regenerates entry.pb.go cleanly
  • Consuming SPIRE branch compiles and its full test suite passes against this SDK

@srikalyan
Add jwt_svid_include_jti to Entry.AdditionalAttributes
f7e1b07 
Extends the AdditionalAttributes sub-message with a new bool
`jwt_svid_include_jti` (field 2). When set, SPIRE includes a
unique JTI (JWT ID) claim in JWT-SVIDs issued for the entry, and
the agent bypasses its JWT-SVID cache so every request yields a
fresh token. This supports use cases that require per-token
uniqueness such as replay protection or auditing.

Builds on the AdditionalAttributes sub-message introduced by
spiffe#88.

Signed-off-by: Srikalyan Swayampakula <srikalyansswayam@gmail.com>
sorindumitru
sorindumitru approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@sorindumitru sorindumitru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @srikalyan. I'll also have a look at the SPIRE PR

@srikalyan
Copy link
Copy Markdown
Author

srikalyan commented Apr 27, 2026

Thank you @sorindumitru can we merge this, becomes easier on the implementation PR.

@sorindumitru sorindumitru merged commit 00f73a6 into spiffe:next Apr 28, 2026
2 checks passed
@srikalyan srikalyan mentioned this pull request May 5, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sorindumitru sorindumitru sorindumitru approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srikalyan @sorindumitru