Why is it fine to use a user's ID in their JWT, as opposed to their email/username?

Question

I'm wondering whether it is bad practice to keep a user's ID in a JWT.

I'm planning on using the email in the sub, since it's already available to them, and I can use it to identify them, all the same. I can let the DB index it so it's easier to retrieve their information using the email rather than the ID.

Isn't it better to avoid giving the user any information regarding how the DB is referencing them, as in the ID? My concern is that I don't know why everyone is fine with using the ID stored in the DB in a JWT, since it can be easily avoided. Isn't there a scenario where it's not a good idea to give them their DB stored ID? The more vague the information, or already available information the user has about themselves, the better, right?

Answer 1

Suppose the following scenario

1. A user logs in into your application from 3 different devices.
2. Each device gets a separate JWT to remember the login, with a different expiration date & time.
3. That user changes their username and/or email address from device 1.

The question is, is it acceptable that the action in step 3 automatically logs the user out on devices 2 and 3?

If that is not acceptable, then you can't use a key like username or email address to identify the user in the JWT, because there will be a scenario where the JWT will get declared to be invalid as it refers to a non-existent user.

As a surrogate key (typically the ID field in the database) is intended to be immutable, it doesn't have the possibility that a user action on device 1 can (unintentionally) affect the validity of JWT tokens on other devices.

---

Using internal data in a JWT token may disclose information about your internal database structure, but I don't see that as a real issue. Attackers should not be able to exploit that knowledge due to other security measures like the signatures on JWT tokens and proper server-side access checks on the resources.