Usage of "sub" in the JWT Token documentation https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/

[cmflynn]

From what I've gathered the "sub" or "subject" field in the JWT token(https://tools.ietf.org/html/rfc7519#section-4.1) payload should be locally or globally unique. The documentation uses the username from the form data in the payload.

Is this a good practice? In a few examples I've found others using a unique id instead like 19898981.

[Mause]

That code is purely for demo purposes, not intended to be used in a production system

[cmflynn]

That code is purely for demo purposes, not intended to be used in a production system

Yep definitely understand. My question is more around how it should work in a production system? AFAIK the spec just says sub should be locally unique in the current context or globally unique. I suppose a username is unique but the username ID in some database is the most unique way to represent that. just curious what the thoughts are of the fastapi devs :)

[Mause]

I mean, that is correct - it should be a unique identifier for the user, whether that be their username or user id

[tiangolo]

Thanks for the help @Mause! 🍰

And thanks for coming back to close the issue @cmflynn ☕

Sorry for the long delay! 🙈 I wanted to personally address each issue/PR and they piled up through time, but now I'm checking each one in order.