Should JWTs be used for more than just authenticating a user? I read that it's okay to store non sensitive stuff like a user ID in it. Would it be okay to store stuff like permission levels in the token? This way I get to avoid doing a database call.
Asked
Active
Viewed 53 times
0
-
1JWT tokens can be used for authentication purposes, but nothing stops you from storing user roles or a scope with the access level of the token. – cassiomolin Aug 17 '17 at 12:25
-
upvote because this is the answer I wanted to hear – el_pup_le Aug 17 '17 at 12:27
-
Depends on the specific type of JWT. If you use HMAC, then any verifier of the token can also forge other tokens and get more access rights. Perhaps you should use RSA and make sure that only a single entity has the private key. – Artjom B. Aug 17 '17 at 20:20
1 Answers
1
JWT tokens can be used for authentication purposes, but nothing stops you from creating your own claims to store additional data, such as the user roles or a scope of access.
Some authentication providers add a scope of access to their tokens. Have a look at this answer.
Community
- 1
- 1
cassiomolin
- 124,154
- 35
- 280
- 359