JWT sub field: is its second section globally unique?

michele.patrassi · October 26, 2021, 9:01am

Hey there!

I noticed the sub part of the JWT has always this format: PROVIDER_NAME | RANDOM_NUMBER (e.g. auth0|123456).

Is RANDOM_NUMBER globally unique between providers? Or could happen that two different providers have the same RANDOM_NUMBER?

A bit of background: I’m storing the sub in another system, but was thinking of stripping out the PROVIDER_NAME to expose as less information as possible. Don’t like the idea of someone taking the other system and knowing how many people used google to authenticate for example.

Thanks!

john.gateley · October 26, 2021, 1:12pm

Hi @michele.patrassi

Whie it is extremely unlikely, the RANDOM_NUMBER part could be duplicated between providers.

John

michele.patrassi · October 26, 2021, 1:52pm

thanks @john.gateley!

Based on that, do you see any security risk in making the Auth0 id public? If someone knows my Auth0 id, does it matter?

john.gateley · October 27, 2021, 1:17pm

Hi @michele.patrassi

There is no obvious security risk, but it depends on what you can do with that id.

In the US, if you have my social security number, plus a couple of other bits of information about me, you can open a credit card in my name.

Take a look at your app and see if there is any similar path - anywhere a user in possession of the ID could do something.

John

system · November 11, 2021, 1:17pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.