This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
Expose all access token claims to the FE
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- rishabhpoddar, porcellus
- Proposed by:
#Context and Problem Statement
When flattening the access token structure and making it into a standard JWT, we have to decide if it's safe to add all claims (including internally used ones) into the front-token, or not.
- Hide internal-only claims
- Hide all claims not added by the user
- Expose all claims
We decided to expose all claims to the FE
- Making them accessible to the FE is not a security risk
- Straightforward interface
We can expose
iat, because they have standard names and carry potentially useful information that we expose anyway.
sessionHandle should not cause any issues and could be useful in very rare cases on the frontend to detect session changes. This is only used on the CDI, while getting session information and updating sessionData in the database (not in access token). As a side-note, using the session handle to call
updateSessionData doesn't seem to be documented.
parentRefreshTokenHash1 to the frontend should not cause any issues, since they are never used as a part of the CDI or FDI. Only used in context of the (signed) access token.