The way to figure out if you’re using the new API Authorization features or not is:
- Check if you pass an
audience
parameter to the/authorize
endpoint - Check if the
client_id
you’re using for the request is marked asOIDC-Conformant
under Clients → Settings → Advanced Settings → OAuth - Check if you have a
Default Audience
configured here
You only get a very small subset of the available properties because you are likely not requesting the appropriate scope
in the /authorize
request. For example, you can try scope=openid profile
to see all the possible properties available in id_token
s and on the /userinfo
endpoint by default.
If you want to make more properties available to clients through id_token
s or the /userinfo
endpoint, you have 2 options:
- Trusted clients
Trusted clients may use our Management API v2 to GET
a user’s full profile based on only their user_id
, which is the sub
claim in the id_token
and response from /userinfo
.
- Untrusted clients
For clients that you don’t trust with access to our Management API v2 (such as SPAs, mobile apps, etc.) you will need to setup a Rule like this:
function (user, context, callback) {
// NOTE: namespace cannot be *.auth0.com
var namespace = 'http://example.com/';
context.idToken = context.idToken || {};
context.accessToken = context.accessToken || {};
context.idToken[namespace + 'myUserId'] = '123';
context.accessToken[namespace + 'myScope'] = '123';
console.log('+] User', user);
console.log('+] Context', context);
callback(null, user, context);
}
With that Rule setup, you should get id_token
s including your custom namespaced claims such as http://example.com/myUserId
always, regardless of the scope
requested.
Sample id_token
with the Rule:
{
"iss": "https://amaanc-exp.auth0.com/",
"sub": "auth0|58352a92d4dc5c1f2124ae04",
"aud": "ynJZ5LNueqMTFAy9SFVjsT8jHM7lv8zc",
"exp": 1487265949,
"iat": 1487229949,
"nonce": "abc",
"at_hash": "XZEP0MVWmKbYVOzS4l_8qg",
"http://example.com/myUserId": "123"
}
Please note that the /userinfo
endpoint reflects the custom claims that have been added to the id_token
via a Rule.