Echo JS 0.11.0

<~>

tracker1 1942 days ago. link 2 points
OMFG!!! Do *NOT* put passwords or any secrets in your claims... the JWT itself is *NOT* encrypted/secure, the payload is only base64 encoded, the signature only confirms authority.

    JSON.parse(atob(YOUR_TOKEN.split('.')[1]))

This is a *REALLY* bad example.
tracker1 1942 days ago. link 1 point
Things you should put in your claims...

* token id
* real name
* account id
* email address
* user's roles/groups

example, here's a claims section from a devauth application I wrote.

    {
      jti: "GENERATED_UUID_FOR_THIS_TOKEN"
      iss: "https://AUTHENTICATION_SERVER/"
      aud: "https://APP_SERVER/", 
      iat: 1564526297, // Issued, seconds since unix epoch UTC
      exp: 1564569497 // Expires, seconds from unix epoch UTC
      sub: "USER_ID", 
      eml: "EMAIL_ADDRESS", 
      fnm: "FIRST", 
      lnm: "LAST",
      aff: ["AFFILIATION",...]
      rol: ["ADMIN",...]
      
    }
harambe 1941 days ago. link 1 point
Lol I could not believe somebody would really store credentials in jwt token. Then I checked the article. :facepalm