Menu
I am generting a jwt for an api token. I am putting the user id into that jwt so I know who is calling into the api. Where do I put the user id in the jwt.
I have seen many different examples that put it in 'sub', 'aud' and even 'iss'. Which is correct if any. Or does user id go in a non registered name?
513
Storing an ID is probably a better idea since the user data can be modified just as you said. Also large payload in JWT results in extra bytes to be sent over the network for almost every network request. In most cases you don't need the whole user data and ID will do good in most cases.
ID tokens are JSON web tokens (JWT) with information about the user. The ID token consists of a header, payload, and signature separated by period (.) characters. Each part is a base64url-encoded value.
Although JWT does eliminate the database lookup, it introduces security issues and other complexities while doing so. Security is binary—either it's secure or it's not. Thus making it dangerous to use JWT for user sessions.
jwt Getting started with jwt What to store in a JWT Registered claims like sub , iss , exp or nbf. Public claims with public names or names registered by IANA which contain values that should be unique like email , address or phone_number . See full list. Private claims to use in your own context and values can ...
The sub claim is the right claim for the user identifier. The aud claim identifies the intended recipient of the JWT and the iss identifies the issuer/creator. Any other interpretations of these claims are not standard compliant, see: https://www.rfc-editor.org/rfc/rfc7519#section-4.1
148
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
