Reputation: 551
Is it right to put the user's identifier in the payload of the access token(JWT)?
I am currently developing financial services as a personal project.
In order to strengthen security in the project, it is designed and implemented to process authentication at the gateway stage using AWS API Gateway.
I tried to log in using a mobile phone number and the received authentication number, and I don't think this is appropriate for Cognito and IAM identifiers, so I'm going to run the Node Auth Server that issues and verifies JWT tokens in AWS Lambda.
In the process, I tried to include an identifier such as user_id or uuid in the payload of the JWT token, but my colleague opposed it.
His opinion was that access token should only engage in authentication and that the token should not contain a user identifier.
I agreed with him to some extent, but if so, I wondered how to deliver the user identifier in an API such as "Comment Registration API".
Should we hand over the user identifier along with the access token to the client when login is successful?
in conclusion
- Is it logically incorrect to include the user identifier in Access Token's Payload?
- If the answer to the above question is yes, how should I deliver the user identifier when login is successful?
I wanted to hear the majority's opinion, so I posted it.
Thank you.
Upvotes: 1
Views: 1469
Answers (2)
Reputation: 19981
Typically you want enough information in the access token so that you can also do proper authorization about what the user/caller is allowed to do.
Typically, you separate authentication and authorization like the picture below shows:
So, to make an effective API, you do want to avoid having to lookup additional information to be able to determine if you are allowed to access some piece of data or not. So, I typically include the UserID and some other claims/roles in the token, so that I can smoothly let the user in inside the API.
However, adding personal information in the access token might have some GDPR issues, but sometimes it might be necessary to also add. But I don't see any issues adding information like UserId and roles in the token.
Upvotes: 1
Reputation: 2308
Yes it is logically correct and a normal thing to do. To see how to do it in a Node Auth Server, you can look at this: https://auth0.com/blog/complete-guide-to-nodejs-express-user-authentication/
Upvotes: 0
Related Questions
- Bearer before token in JWT
- Do I Pass the Identity Token in a Header or Body of a Post Request?
- JWT authentication. Use "Bearer_$tokenValue" or "Bearer $tokenValue"?
- Is it okay to embed username in BEARER Authorization Header?
- Is it better to keep just the user_id or the whole user object in the payload when signing a jwt?
- Why Include Header and Payload in JWT Token?
- Including personal details in JWT
- Passing user ID in body or in token
- When used Sub and Aud Claim of payload on a system with JSON Web Token
- Where to store user id in jwt