Passport: why the jti in the header and in the payload ??

I agree it shouldn't be in the header. Seems like a waste of space.

I think league/oauth2-server handles it
https://github.com/thephpleague/oauth2-server/blob/master/src/Entities/Traits/AccessTokenTrait.php#L32

Please open a ticket on league/oauth2-server if you believe this is an issue

It's 120 chars worth of an issue in every request header. It's not much but it's against the JWT spec.

Hey, let me open this again. It seems to me that this issue has not yet been seen and nobody he asked in league/oauth2-server also. I'm right?

@rodriigomedeiros do you believe this is still an issue? If so, I will look into it

Not exactly a problem, but as mentioned by @MattiJarvinen-BA , it is against the specifications of JWT. Some clients are complaining about the size of the token and without this duplication we would save, after encoding in base64, some bytes. What do you think?

Sorry @rodriigomedeiros I wasn't clear in my comment. I meant have you confirmed that this is still an issue in the latest versions of the respective packages? This issue was initially raised back in 2017 so a lot has changed since.

If you don't know, it is no problem. I will take a look into it, but if you have confirmed this is still happening, it would save me some time investigating. Cheers

Alright @Sephster , I really did not understand your question. Sorry.

Replying now, yes, it's still a problem in recent versions. Currently, in another project, I'm using Passport v7.3.0 and I still see the duplicate JTI even though I know this is a league/oauth2-server problem. Thank you for fast response. Cheers.

Cool. I will take a look at this today to see if there is an easy solution. Cheers!

The JTI has now been removed from the header. This change will be in version 8 which I'm releasing today. Cheers

Great, @Sephster. Cheers.