I noticed the sub part of the JWT has always this format: PROVIDER_NAME | RANDOM_NUMBER (e.g. auth0|123456).
Is RANDOM_NUMBER globally unique between providers? Or could happen that two different providers have the same RANDOM_NUMBER?
A bit of background: I’m storing the sub in another system, but was thinking of stripping out the PROVIDER_NAME to expose as less information as possible. Don’t like the idea of someone taking the other system and knowing how many people used google to authenticate for example.
Whie it is extremely unlikely, the RANDOM_NUMBER part could be duplicated between providers.
Based on that, do you see any security risk in making the Auth0 id public? If someone knows my Auth0 id, does it matter?
There is no obvious security risk, but it depends on what you can do with that id.
In the US, if you have my social security number, plus a couple of other bits of information about me, you can open a credit card in my name.
Take a look at your app and see if there is any similar path - anywhere a user in possession of the ID could do something.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.