Ping Identity PT-AM-CPE Exam - Topic 5 Question 11 Discussion

When an OAuth2 client uses Private Key JWT or Client Secret JWT for authentication at the PingAM 8.0.2 token endpoint, it must present a JWT (JSON Web Token) containing specific claims that identify and authorize the client. This is governed by the OIDC and OAuth2 JWT Profile specifications (RFC 7523).

According to the PingAM documentation on 'OAuth 2.0 Client Authentication' and the 'JWT Profile for Client Authentication':

iss (Issuer): Mandatory. This must be the client_id of the OAuth2 client.

sub (Subject): Mandatory. This must also be the client_id of the OAuth2 client (as the client is the subject of the authentication).

aud (Audience): Mandatory. This must be the URL of the PingAM OAuth2 service (the token endpoint) or the issuer URL.

exp (Expiration Time): Mandatory. This protects against the long-term use of intercepted assertions.

The jti (JWT ID) (Option A) provides a unique identifier for the token. In the context of standard JWT validation, jti is used to prevent replay attacks by ensuring that a specific token is only processed once. While highly recommended for security hardening, the PingAM 8.0.2 technical reference for OAuth2 client assertions marks jti as optional unless the server is explicitly configured to require it for replay detection. Without a jti, PingAM will still validate the iss, sub, aud, and exp claims to authenticate the client. Therefore, among the choices provided, jti is the claim that can be omitted without inherently violating the base OAuth2 JWT authentication request requirements.

============