I tried to get user id from a JWT token. I got a JWT token and sucessfully verified it, but it doesn't return an id.
When I decode the JWT:
const decoded = jwt.verify(token, config.get('jwtPrivateKey'));
var userId = decoded.id
console.log(decoded)
I got this output:
{ iat: 1561463667 }
But I excepted this output:
id :"*****************"
How do I get the user id from the token?
It is a general requirement that, once the user is validated and received token and redirected to actual API to fetch or post the data. Here, if we want to fetch any information about a logged In user from API, we need to send userid/username to the API.
Include the JWT in requests The strategy will first check the request for the standard Authorization header. If this header is present and the scheme matches options. authScheme or 'JWT' if no auth scheme was specified then the token will be retrieved from it.
If you would be happy sharing the User ID publicly with the user that is using the token then I'd include it in the JWT. However, you should not include any information in the token which the user could abuse within your system. - Such as ID that could expose underlining implementation details.
To authenticate a user, a client application must send a JSON Web Token (JWT)in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
How Does JWT Work? Step 1. Client logs in with his/her credentials. Step 2. Server generates a Jwt token at server side. Step 3. After token generation, the server returns a token in response. Step 4. Now, the client sends a copy of the token to validate the token. Step 5. The server checks JWT ...
The Target system follows JWT profile for OAuth 2.0 Client authentication and Authorization grants for issuing Access Token. The documents what I had mostly shows verifying the JWT, But I am mainly looking on how to get JWT
The source system will obtain the Access Token from Target system's Authorization server. The Target system follows JWT profile for OAuth 2.0 Client authentication and Authorization grants for issuing Access Token.
When the whole output is { iat: 1561463667 }
, it means, that no extra payload/claims were added when the token was signed.
The jsonwebtoken package usually adds iat
(issuedAt, the time when the token was issued) as a default claim.
In simple words: you can only decode claims, that were added before.
To add more claims, try this code (when you're in control of the code which issues the token):
let payload = { "id" : "1"};
let token = jwt.sign( payload,'secret', { noTimestamp:true, expiresIn: '1h' });
Here I added an expiry time (exp
), and set the option noTimestamp
to suppress the automatically added iat
claim.
The result looks like this:
{
"id": "1",
"exp": 1561471747
}
and the token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEiLCJleHAiOjE1NjE0NzI0MzV9.jmKyITRoxLl0fy0-rrwgPOA_iRgGQu8W4Cc6dPupOMA
Then you can get the id as you have already shown in your question:
const decoded = jwt.verify(token, "your secret or key");
var userId = decoded.id
console.log(userId)
You can also paste the above shown JWT or your token into the https://jwt.io debugger, to inspect the token and see the structure and the actual claim names. Maybe there's no id
, but a userId
or similar, or a sub
claim, which is a registerd claim name to be used to identify the principal:
The "sub" (subject) claim identifies the principal that is the subject of the JWT.
It might also happen, that the token contains nested objects, e.g.:
{
"user_data":
{
"user_id": "1",
"user_name: "superuser"
},
"exp": 1561471747
}
then you get the user_id this way:
const decoded = jwt.verify(token, "your secret or key");
var userId = decoded.user_data.user_id
console.log(userId)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With