Closed felixakiragreen closed 5 years ago
@dubert if you want to omit some keys from your token you can. Use the build_claims
callback on your guardian impl module.
defmodule MyApp.Guardian do
use Guardian, otp_app: :my_app
# snip ...
def build_claims(claims_so_far, resource, options) do
claims =
claims_so_far
|> Map.drop(["aud", "iss", "jti", "nbf", "sub", "typ"])
{:ok, claims}
end
# snip ...
end
I don't believe exp is required (I've dropped it before in some circumstances). If you find that you want different validation from what is found in Guardian.Token.Jwt.Verify
you should set your config option token_verify_module
.
If you do find the default implementation of Guardians JWT completely unworkable for you, you can always implement a custom token type. https://github.com/ueberauth/guardian/blob/master/lib/guardian/token.ex
Thanks! I believe this solves my issue.
I'm trying to replicate this exact format of token: (This is issued by Twitch, and I'm building an extension service that interacts with their API)
I can add claims to cover
channel_id
,pubsub_perms
,role
, andopaque_user_id
, but I can't remove:"aud"
,"iss"
,"jti"
,"nbf"
,"sub"
,"typ"
.Examining the JWT documentation only
exp
is required while the rest are optional.Digging into the source code here: https://github.com/ueberauth/guardian/blob/master/lib/guardian/token/jwt.ex#L271-L283 I can see that these values are being hard coded, there is no way to modify or remove them.
Are there any plans to allow this customization?
Or is the recommended solution to use a different token generation library? I'd prefer not to since I'm already using Guardian and it's doing everything else great.