JWT sub field: is its second section globally unique?

Hey there!

I noticed the sub part of the JWT has always this format: PROVIDER_NAME | RANDOM_NUMBER (e.g. auth0|123456).

Is RANDOM_NUMBER globally unique between providers? Or could happen that two different providers have the same RANDOM_NUMBER?

A bit of background: I’m storing the sub in another system, but was thinking of stripping out the PROVIDER_NAME to expose as less information as possible. Don’t like the idea of someone taking the other system and knowing how many people used google to authenticate for example.


Hi @michele.patrassi

Whie it is extremely unlikely, the RANDOM_NUMBER part could be duplicated between providers.



thanks @john.gateley!

Based on that, do you see any security risk in making the Auth0 id public? If someone knows my Auth0 id, does it matter?

Hi @michele.patrassi

There is no obvious security risk, but it depends on what you can do with that id.

In the US, if you have my social security number, plus a couple of other bits of information about me, you can open a credit card in my name.

Take a look at your app and see if there is any similar path - anywhere a user in possession of the ID could do something.


1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.