如何在FeathersJS中设置JWT的sub声明? [英] How can I set the `sub` claim of a JWT in FeathersJS?

问题描述

对于JWT的sub声明是可选的，但是feathersjs身份验证不允许我将其设置为空白字符串或将其删除.

The sub claim for JWTs is optional, but the feathersjs-authentication won't let me set it to a blank string or remove it.

我能够在hook之前的authentication中的有效负载中添加一个新值，但是更改sub或尝试删除它无效.

I was able to add a new value to the payload in the authentication before hook but changing sub or trying to remove it doesn't work.

app.service('/api/auth').hooks({
  before: {
    create: [
      // You can chain multiple strategies
      auth.hooks.authenticate(['jwt', 'local']),

      hook => {
        // I can add a new `SUB` value but this method doesn't work for `sub`
        Object.assign(hook.params.payload, {SUB: hook.params.payload.userId})
      }
    ],
...

我尝试将相同的更改添加到after挂钩中，但是那也不起作用.在我看来，将sub值设置为anonymous似乎不正确.他们的文档甚至说:

I tried adding the same change to the after hook, but that didn't work either. Having the sub value as anonymous doesn't seem right to me. Their docs even say:

subject: 'anonymous', // Typically the entity id associated with the JWT

然而，似乎还没有直接方法使sub JWT声明动态值.

Yet there does not seem to be a straight-forward way to make the sub JWT claim a dynamic value.

推荐答案

subject或sub在

The subject or sub is set in the authentication options and - like any other JWT specific option - can not be set through the payload.

看代码可以看到有效的JWT选项密钥可以通过params设置(除了params.query之外，它不在恶意客户端访问范围之内，因此不易被篡改):

Looking at the code you can see that valid JWT option keys can be set through params (which other than params.query is outside of a malicious client reach so it can't be easily tampered with):

app.service('/api/auth').hooks({
  before: {
    create: [
      // You can chain multiple strategies
      auth.hooks.authenticate(['jwt', 'local']),

      hook => {
        hook.params.jwt.subject = hook.params.payload.userId;
      }
    ],

这篇关于如何在FeathersJS中设置JWT的sub声明?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！