Geek Answers Handbook

What to store in JWT?

How do you guys work with the same user on multiple devices? Will there be obsolete data like {admin: true} except for the device that changed it?

Should it be in JWT? If not, and we only resort to setting the user ID, will it not be the same as a cookie-based session, since we save the state on the server?

+5
source share
1 answer

JWT RFC put the following claim classes:

  • Registered applications like sub , iss , exp or nbf

  • Public claims with public names or IANA registered names that contain values ​​that must be unique such as email , address or phone_number . See the full list.

  • Private claims for use in your own context, and values ​​may be a collision

None of these claims are binding.

JWT is standalone and should avoid using a server session that provides the necessary authentication information (without the need for server storage and database access). Thus, role information can be included in the JWT.

When using multiple devices, there are several reasons to cancel tokens before the expiration date , for example, when the user changes the password, permissions or account deleted by the administrator. In this case, you will need a blacklist or an alternative mechanism for refusing tokens

The blacklist can include a unique identifier for the jti token or just set an entry ( sub - iss ) after updating important user information (password, omissions, etc.) and currentTime - maxExpiryTime < last iss . A record can be discarded if currentTime - maxExpiryTime > last_modified (no more tokens that have not passed).

Registered Applications

The following claim names are registered with the IANA "JSON Web Token Claims" registry established in Section 10.1.

  • iss : identifies the principal issuing the JWT.
  • sub (subject): identifies the principal who is the subject of the JWT. Must be unique
  • aud (audience): identifies the recipients for whom the JWT is intended (array of strings / uri)
  • exp (expiration time): defines the expiration time (UTC Unix) after which you should no longer accept this token. This should be after release.
  • nbf (not earlier): identifies the UTC Unix time before which the JWT cannot be accepted
  • iat (issued on): determines the UTC Unix time at which the JWT was released
  • jti (JWT ID): provides a unique JWT identifier.

Example

 { "iss": "stackoverflow", "sub": "joe", "aud": ["all"], "iat": 1300819370, "exp": 1300819380, "jti": "3F2504E0-4F89-11D3-9A0C-0305E82C3301" "context": { "user": { "key": "joe", "displayName": "Joe Smith" }, "roles":["admin","finaluser"] } }

See alternatives here fooobar.com/questions/719925 / ...

+7
source

More articles:


All Articles