Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using JWT - is it fine to authenticate user with the subject being their email?

Tags:

authentication

jwt

I'm new to authentication, and just trying out JWT authentication on a small express app.

I've got a user authentication setup using JWTs, and I'm using the subject as the user's email.

Is this a good practice?

If I decode the JWT on jwt.io, I see:

{
  "sub": "[email protected]",
  "iat": 1489963760,
  "exp": 1490568560
}

Is that how it is supposed to work?

like image 509
user1354934 Avatar asked Mar 19 '17 22:03

user1354934

People also ask

Can I use JWT for email verification?

1. Generate a unique code specific to user and save it in your database corresponding to that user. Send the code in the email link sent to user. When the email is clicked, recognise the user based on the code in link and mark it as verified.

What should be the subject in JWT?

The “sub” (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.

When should you not use JWT?

Although JWT does eliminate the database lookup, it introduces security issues and other complexities while doing so. Security is binary—either it's secure or it's not. Thus making it dangerous to use JWT for user sessions.

How do I authenticate a user with JWT?

To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.

1 Answers

The sub claim must be unique. Since email addresses are unique, it is a reasonable choice for the claim.

See RFC7519

4.1.2. "sub" (Subject) Claim

The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific.

Ensure two users do not register theirselves with the same email address, for example using a generic email like [email protected]

like image 73
pedrofb Avatar answered Nov 15 '22 23:11

pedrofb
Sign in to Comment

Related questions

RESTFul Authentication with WebAPI
NodeJs Passport isAuthenticated() returning false even after login
Win32: How to validate credentials against Active Directory?
How to authenticate an RSS feed
nginx auth_basic "Restricted" prompting login on every request
Best practice to organize authorization in microservice architecture?
ASP.NET Web Site + Windows Forms App + WCF Service: Client Credentials
Create Account, Forgot Password and Change Password
Restrict firestore access to admin-sdk
How can I get browser authentication popup?
ASP.NET Web API authorization and Authentication
Is there a OAuth2 library for Java / Android already? [closed]
How to pass Firebase Auth Token from client to server?
Skip JWT Auth during Tests ASP.Net Core 3.1 Web Api
How to request pages from website that uses OpenID?
Authentication with Microsoft.Owin.Testing.TestServer for In-Memory Integration Tests
How to add a request interceptor to a feign client?
The proper way of implementing user login system
MongoDB replica set with simple password authentication
Using IdentityServer vs creating custom JWT based authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!