1

I am currently developing financial services as a personal project.

In order to strengthen security in the project, it is designed and implemented to process authentication at the gateway stage using AWS API Gateway.

I tried to log in using a mobile phone number and the received authentication number, and I don't think this is appropriate for Cognito and IAM identifiers, so I'm going to run the Node Auth Server that issues and verifies JWT tokens in AWS Lambda.

In the process, I tried to include an identifier such as user_id or uuid in the payload of the JWT token, but my colleague opposed it.

His opinion was that access token should only engage in authentication and that the token should not contain a user identifier.

I agreed with him to some extent, but if so, I wondered how to deliver the user identifier in an API such as "Comment Registration API".

Should we hand over the user identifier along with the access token to the client when login is successful?

in conclusion

  1. Is it logically incorrect to include the user identifier in Access Token's Payload?
  2. If the answer to the above question is yes, how should I deliver the user identifier when login is successful?

I wanted to hear the majority's opinion, so I posted it.

Thank you.

Jun
  • 451
  • 4
  • 16

2 Answers2

1

Typically you want enough information in the access token so that you can also do proper authorization about what the user/caller is allowed to do.

Typically, you separate authentication and authorization like the picture below shows: enter image description here

So, to make an effective API, you do want to avoid having to lookup additional information to be able to determine if you are allowed to access some piece of data or not. So, I typically include the UserID and some other claims/roles in the token, so that I can smoothly let the user in inside the API.

However, adding personal information in the access token might have some GDPR issues, but sometimes it might be necessary to also add. But I don't see any issues adding information like UserId and roles in the token.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • 1
    I'm sorry for the delay in choosing the answer. Your answer really helped me a lot! In addition, after further talking with my colleague, I concluded that user_id in payload is used to verify user rights, and user_id in queries or bodies is used as a value for CRUD APIs. Thank you once again. – Jun Dec 03 '21 at 07:46
0

Yes it is logically correct and a normal thing to do. To see how to do it in a Node Auth Server, you can look at this: https://auth0.com/blog/complete-guide-to-nodejs-express-user-authentication/

Peter Dongan
  • 1,762
  • 12
  • 17