Cutomizing token headers

[felixakiragreen]

I'm trying to replicate this exact format of token: (This is issued by Twitch, and I'm building an extension service that interacts with their API)

{
  "exp": 1573786888,
  "opaque_user_id": "ARIGM9CV7RpigqPXUUS",
  "role": "viewer",
  "pubsub_perms": {
    "listen": [
      "broadcast",
      "global"
    ]
  },
  "channel_id": "265737932",
  "iat": 1542250888
}

I can add claims to cover channel_id, pubsub_perms, role, and opaque_user_id, but I can't remove: "aud","iss","jti","nbf","sub","typ".

Examining the JWT documentation only exp is required while the rest are optional.

Digging into the source code here: https://github.com/ueberauth/guardian/blob/master/lib/guardian/token/jwt.ex#L271-L283 I can see that these values are being hard coded, there is no way to modify or remove them.

Are there any plans to allow this customization?

Or is the recommended solution to use a different token generation library? I'd prefer not to since I'm already using Guardian and it's doing everything else great.

[hassox]

@dubert if you want to omit some keys from your token you can. Use the build_claims callback on your guardian impl module.

defmodule MyApp.Guardian do
  use Guardian, otp_app: :my_app

 # snip ...

def build_claims(claims_so_far, resource, options) do
  claims =
    claims_so_far
    |> Map.drop(["aud", "iss", "jti", "nbf", "sub", "typ"])

  {:ok, claims}
end

# snip ...
end

I don't believe exp is required (I've dropped it before in some circumstances). If you find that you want different validation from what is found in Guardian.Token.Jwt.Verify you should set your config option token_verify_module.

If you do find the default implementation of Guardians JWT completely unworkable for you, you can always implement a custom token type. https://github.com/ueberauth/guardian/blob/master/lib/guardian/token.ex

[felixakiragreen]

Thanks! I believe this solves my issue.