Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Claims verification and storing info in sub

See original GitHub issue

I used the simple version of this module for a few weeks of development but just switched to the extended since I needed the dynamic expiration time (some of my tokens will expire sooner than others). Furthermore, I also needed a way to verify that certain data existed in the JWT. So far, I have stored all the user info in the identity (sub) as a dictionary that includes the user id, plus everything else that would be important to know about the user (permissions, a couple of association ids, name, etc.). I needed a way to verify that at least some of this data exists in the token before considering it valid, so I thought I could use the claims_verification_loader to do that. Obviously, I was wrong and what that loader does is verify whatever is stored inside the user_claims claim.

First of all, I might be wrong, but I thought it was ok to store extended user info in the sub claim? (haven’t found any rules or other opinions about it) Assuming that is fine, shouldn’t there be callback to be able to verify that data?

Second of all, if it is not okay to store extended info (e.g. info other than a user id) in the sub claim, I think it would be nice to be able to name the user_claims claim yourself (through the config). Personally, the name user_claims sounds a bit redundant. I would prefer to have it named user or user_info, or even sub_info (this one makes semantically the most sense). Since it boils down to opinion, I think putting it in the config would be the best.

But all in all I think this module is really handy and simplifies a lot of things, good job so far +1

Issue Analytics

State:
Created 6 years ago
Comments:7 (7 by maintainers)

Top GitHub Comments

1reaction

vimalloccommented, Oct 23, 2017

added in 3.3.3

0reactions

fgblomqvistcommented, Oct 19, 2017

No worries. It is possible to work around this by utilizing the user_loader callback (since it has access to the identity) and write a clearer error message:

@jwtm.user_loader_callback_loader
def user_loader_callback_loader(identity):
    if 'MY_FIELD' not in identity:
        return None
    return {}

@jwtm.user_loader_error_loader
def user_loader_error_loader(identity):
    return jsonify({'error': "missing fields in jwt"}), 422

Obviously, user loading can be done at the same time as well. I’ll use this for now, until you’ve come up with a better solution (no rush). I’ll still try to get the PR done for the other stuff today though.