Bug with custom claims (source included)

[quicktoolbox]

Using custom claims.

After you call JWTAuth::parseToken()->getPayload->get(), the next time you generate a JWT token, you will have the old values polluting the new token.

For example, old value aud => 'test'. Set a new custom claim to be aud => 'changed' and after you generate the token, viewing the actual payload you will see the old values are persisting.

Fresh laravel project; Add JWTAuth ( modify app.php for JWT Auth) Add routes to api.php

How to repeat

1. /api/get
2. /api/view?token=<paste from step 1>
3. /api/bug?token=<paste from step 1>
4. /api/view?token=<paste from STEP 3>
5. Notice that 'aud' is still 'test', instead of 'changed'.

The only way I know to get around this, is to use the array of custom claims to the model and the array gets returned when getJWTCustomClaims() gets called.

`Route::get('get', function( Request $request) {

$payload = JWTFactory::aud('test') ->user(['email' => 'james@brown.com']) ->make();

$jwt = JWTAuth::encode($payload);

return (string) $jwt;

});

Route::get('bug', function (Request $request) { JWTAuth::parseToken()->getPayload()->get();

$payload = JWTFactory::aud('changed')->make();

$jwt = JWTAuth::encode($payload);

return (string) $jwt;

});

Route::get('view', function( Request $request) { return JWTAuth::parseToken()->getPayload()->get(); });`

[mattmcdonald-uk]

There is a bug which means custom claims aren't updated when refreshing a token. There's an open PR for this.

In the meantime you could adapt this gist which behaves like the AuthenticateAndRenew middleware, but updates custom claims.

[stale[bot]]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.