[英]Using JWT - is it fine to authenticate user with the subject being their email?
I'm new to authentication, and just trying out JWT authentication on a small express app. 我是身份验证的新手,只是在一个小型快递应用程序上尝试JWT身份验证。
I've got a user authentication setup using JWTs, and I'm using the subject as the user's email. 我有一个使用JWT的用户身份验证设置,我正在使用该主题作为用户的电子邮件。
Is this a good practice? 这是一个好习惯吗?
If I decode the JWT on jwt.io, I see: 如果我在jwt.io上解码JWT,我看到:
{
"sub": "test_user_3@test.com",
"iat": 1489963760,
"exp": 1490568560
}
Is that how it is supposed to work? 它是如何工作的?
The sub
claim must be unique. sub
索赔必须是唯一的。 Since email addresses are unique, it is a reasonable choice for the claim. 由于电子邮件地址是唯一的,因此它是索赔的合理选择。
4.1.2.
4.1.2。 "sub" (Subject) Claim
“sub”(主题)索赔
The "sub" (subject) claim identifies the principal that is the subject of the JWT.
“子”(主题)权利要求确定了作为JWT主体的委托人 。 The claims in a JWT are normally statements about the subject.
JWT中的声明通常是关于该主题的声明。 The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
主题值必须在发行者的上下文中作为本地唯一的范围,或者是全局唯一的。 The processing of this claim is generally application specific.
该权利要求的处理通常是特定于应用的。
Ensure two users do not register theirselves with the same email address, for example using a generic email like info@test.com
确保两个用户不使用相同的电子邮件地址注册自己,例如使用
info@test.com
等通用电子邮件
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.