Closed afroozeh closed 3 months ago
afroozeh
commented
3 months ago Note: sid is present in Clerk session JWT tokens, but it doesn't seem to be there when using long-lived tokens generated by JWT Templates (https://clerk.com/docs/testing/postman-or-insomnia). It's kind of logical since such tokens are not bound to a session.
DarrenBaldwin07
commented
3 months ago Note:
sidis present in Clerk session JWT tokens, but it doesn't seem to be there when using long-lived tokens generated by JWT Templates (https://clerk.com/docs/testing/postman-or-insomnia). It's kind of logical since such tokens are not bound to a session.
Good timing on opening this - was looking into a similar issue this week. Thank you for raising. I talked with a couple Clerk engineers a about this very issue and they said sid is always defined even on long-lived tokens which seems contradictory to what I've seen in the past and what ur saying (I can generate a long-lived token right now and it will have a sid). It might depend on how you generate the long-lived token though (e.g in active authed browser session or not)
DarrenBaldwin07
commented
3 months ago Note:
sidis present in Clerk session JWT tokens, but it doesn't seem to be there when using long-lived tokens generated by JWT Templates (https://clerk.com/docs/testing/postman-or-insomnia). It's kind of logical since such tokens are not bound to a session.
Looks like when you create a Clerk JWT template you can optionally specify a sid (or not) so I think this can most definitely be optional
EDIT: Also got this response from a Clerk engineer ✅
agis
commented
2 months ago All session tokens, whether they're created via JWT Templates or not, will always contain an sid claim with its value set to the current session ID. The value cannot be overrode, since it's part of the default claims that Clerk always sets.
Even if you define add an sid claim in your template, it will be overrode during token generation.
afroozeh
commented
2 months ago @agis this is clearly not the case for JWT Templates. I created a JWT Template without changing anything and was getting JSON deserialization error using the clerk-rs middleware. This is the response I got from a Clerk dev on discord:
It's also logical to not have sid because there is no session associated with a long-lived token anyway. Also, as the dev mentioned, other Clerk SDKs account for optional sid.
agis
commented
2 months ago You're right - I was mistaken!
sidis not a recommended claim according to the guidelines (https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims). Recently, we encountered an issue where the server returned a 401 error because JSON parsing failed on a token that lackedsid.