What is the correct way to add custom claims to id_tokens and the /userinfo endpoint and get the complete user profile?

amaanc · February 16, 2017, 3:34pm

The way to figure out if you’re using the new API Authorization features or not is:

Check if you pass an audience parameter to the /authorize endpoint
Check if the client_id you’re using for the request is marked as OIDC-Conformant under Clients → Settings → Advanced Settings → OAuth
Check if you have a Default Audience configured here

You only get a very small subset of the available properties because you are likely not requesting the appropriate scope in the /authorize request. For example, you can try scope=openid profile to see all the possible properties available in id_tokens and on the /userinfo endpoint by default.

If you want to make more properties available to clients through id_tokens or the /userinfo endpoint, you have 2 options:

Trusted clients

Trusted clients may use our Management API v2 to GET a user’s full profile based on only their user_id, which is the sub claim in the id_token and response from /userinfo.

Untrusted clients

For clients that you don’t trust with access to our Management API v2 (such as SPAs, mobile apps, etc.) you will need to setup a Rule like this:

function (user, context, callback) {
  // NOTE: namespace cannot be *.auth0.com
  var namespace = 'http://example.com/';
  context.idToken = context.idToken || {};
  context.accessToken = context.accessToken || {};
  
  context.idToken[namespace + 'myUserId'] = '123';
  context.accessToken[namespace + 'myScope'] = '123';
  
  console.log('+] User', user);
  console.log('+] Context', context);
  callback(null, user, context);
}

With that Rule setup, you should get id_tokens including your custom namespaced claims such as http://example.com/myUserId always, regardless of the scope requested.

Sample id_token with the Rule:

{
  "iss": "https://amaanc-exp.auth0.com/",
  "sub": "auth0|58352a92d4dc5c1f2124ae04",
  "aud": "ynJZ5LNueqMTFAy9SFVjsT8jHM7lv8zc",
  "exp": 1487265949,
  "iat": 1487229949,
  "nonce": "abc",
  "at_hash": "XZEP0MVWmKbYVOzS4l_8qg",
  "http://example.com/myUserId": "123"
}

Please note that the /userinfo endpoint reflects the custom claims that have been added to the id_token via a Rule.

Topic		Replies	Views
Unable to fetch user info through userprofile API Help	13	6020	January 21, 2019
Best practices for custom claims using OIDC-conformant Auth0.js Help auth0js	4	6682	September 3, 2019
Only include specific claims in UserInfo (OIDC Compliant Flow) Help oidc-conformant , custom-claims	2	4009	December 14, 2018
How do you return custom claims to userinfo endpoint when using OIDC? Help userinfo , oidc , custom-claims	3	6810	March 2, 2018
Getting userinformation in the access token Help user-profile , user-management	2	793	July 24, 2023

What is the correct way to add custom claims to id_tokens and the /userinfo endpoint and get the complete user profile?

Related topics