OMFG!!! Do *NOT* put passwords or any secrets in your claims... the JWT itself is *NOT* encrypted/secure, the payload is only base64 encoded, the signature only confirms authority.
JSON.parse(atob(YOUR_TOKEN.split('.')[1]))
This is a *REALLY* bad example.
Things you should put in your claims...
* token id
* real name
* account id
* email address
* user's roles/groups
example, here's a claims section from a devauth application I wrote.
{
jti: "GENERATED_UUID_FOR_THIS_TOKEN"
iss: "https://AUTHENTICATION_SERVER/"
aud: "https://APP_SERVER/",
iat: 1564526297, // Issued, seconds since unix epoch UTC
exp: 1564569497 // Expires, seconds from unix epoch UTC
sub: "USER_ID",
eml: "EMAIL_ADDRESS",
fnm: "FIRST",
lnm: "LAST",
aff: ["AFFILIATION",...]
rol: ["ADMIN",...]
}
OMFG!!! Do *NOT* put passwords or any secrets in your claims... the JWT itself is *NOT* encrypted/secure, the payload is only base64 encoded, the signature only confirms authority. JSON.parse(atob(YOUR_TOKEN.split('.')[1])) This is a *REALLY* bad example.Things you should put in your claims... * token id * real name * account id * email address * user's roles/groups example, here's a claims section from a devauth application I wrote. { jti: "GENERATED_UUID_FOR_THIS_TOKEN" iss: "https://AUTHENTICATION_SERVER/" aud: "https://APP_SERVER/", iat: 1564526297, // Issued, seconds since unix epoch UTC exp: 1564569497 // Expires, seconds from unix epoch UTC sub: "USER_ID", eml: "EMAIL_ADDRESS", fnm: "FIRST", lnm: "LAST", aff: ["AFFILIATION",...] rol: ["ADMIN",...] }