Custom JSON Web Token for Authentication


#1

Hello everyone,

Blockstack Auth uses JWT in authentication. As far as I understood from the codes in Github, a few fields in JWT standard are used in Blockstack. Is it possible to use more fields of JWT in a Blockstack-integrated app (such as phone_number field for SMS verification to bind a phone number with a Blockstack account)? Does this require a big change in Blockstack Authentication mechanism?

Thanks in advance.


#2

Typically, applications store app-specific data in the user’s Gaia hub, so that once the user signs in, the app will be able to fetch and decode them.

The structure of the auth JWT is not a public interface, and cannot be extended by applications. This is a security feature, since the JWT is signed by the key that owns the name (whereas application data is signed by an app-specific key). If this were not the case, then a rogue application would be able to override or corrupt auth JWT fields.