'What additional claims are considered a good practice to be part of JWT token claims
I am designing a system (microservices based) where users will be authenticated using JWT tokens.
Minimum token's payload looks like this:
{
"sub": "1234567890",
"exp": 1516539022,
"iat": 1516239022
}
my question is, whether "email" and/or "name" should be part of a token, e.g.:
{
"sub": "1234567890",
"exp": 1516539022,
"iat": 1516239022,
"email": "[email protected]",
"name": "John Doe"
}
so each microservice can access this data when needed, without additional roundtrip.
Or is it redundant, and a particular microservice should fetch user's "email" (or "name") when needed by user id (sub) by calling example endpoint GET https://users-microservice.my-domain.com/{sub}/email?
I know of course that both options will work, I am just trying to avoid making a mistake and abide to best practices.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|