8

I am using JWT to verify Users. As a result I need to create a json web token which contains the following information: username, mycompany, and expiration date. In the JWT standard there are reserved claims such as issuer (iss). For my information I was wondering what the best practice is to store my information? I was originally thinking of setting iss = 'mycompany.com', sub = 'myusername', exp = 'whenever', but looking at the documentation from jwt.com (http://jwt.io/introduction/) I see they store the username inside of the payload. Is there reasons for this? If so what are they and would my implementation be wrong then?

user2924127
  • 877
  • 1
  • 8
  • 17

1 Answers1

1

sub is just a predefined claim.

As stated in your link, this is for "interoperability". If you do not need to exchange your JWT with other systems, now or in the future then you can use private claims (e.g. name). If you are using sub then all systems that are receiving this token must interpret it the same (that is sub means username and nothing else).

Note that reserved claims are also stored within the payload.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • 1
    `sub` is defined in the RFC ( https://tools.ietf.org/html/rfc7519 ) as "The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.", because usernames are *not* necessarily unique (e.g. in multi-tenant scenarios) I store the unique and immutable user-identifier (e.g. DB primary-key, SID, or GUID) in this field instead of the username. – Dai Jul 23 '18 at 06:13