It has recently been discovered that the Knox Token service will issue duplicate tokens to clients making concurrent requests separated by milliseconds or less. This is due to the nimbus JWT library truncating expiration times to units of seconds.
For many use cases, this is probably not an issue. However, as soon a support for token renewal and revocation is enabled, there is the potential for actions intended for one client's token to have unexpected effects on other client's tokens. This problem is potentially exacerbated in HA Knox deployments, whereby multiple Knox instances can receive simultaneous requests for tokens.
These issued tokens must be unique.
The inclusion of a private claim, the value of which is a UUID, would yield such unique tokens.
An additional advantage of this is that the TokenStateService can use these UUIDs instead of the Base64-encoded tokens themselves as keys for the associated state. This will alleviate some limitations associated with the implementations of this service (e.g., Java keystore lower-cases aliases).