How to add custom claim to JWT

davidr1 · August 4, 2017, 6:30pm

Hi,

I’m using Auth0 to provide user ID and authentication for an async chat project.
At the moment I’m only able to get the customerID (sub-claim) to pass as that all Auth0 provides in the user database.
I can also add user/app meta data but the structure does not work with the async platform I am using.

I need the payload to look like so, where “lp_sdes” is my custom claim

{
   "sub":"4255551212",
   "iss":"https://www.YourBrand.com",
   "exp":1446115352000,
   "iat":1446111752000,
   "preferred_username":"JohnDoe",
   "phone_number":"+1-10-344-3765333",
   "lp_sdes":
      {
         "type":"ctmrinfo",
         "info":{
            "cstatus":"cancelled",
            "ctype":"vip",
            "customerId":"138766AC",
            "balance":-400.99,
            "socialId":"11256324780",
            "imei":"3543546543545688",
            "userName":"user000",
            "companySize":500,
            "accountName":"bank corp",
            "role":"broker",
            "lastPaymentDate":{
               "day":15,
               "month":10,
               "year":2014
            },
            "registrationDate":{
               "day":23,
               "month":5,
               "year":2013
} }
} ]
}

Can this be done with Auth0 user database or do I have no choice but to connect to an external user database and manage it all externally?

Thanks

brian.hulick · August 5, 2017, 9:37am

It may just be that you need to apply a namespace to the claim and add it to the access token from a rule (eg. “http://myapp.example.com/ip_sides”) as described here:
OpenID Connect Scopes

davidr1 · August 6, 2017, 9:48pm

Hi @brian.hulick ,
Thank you for the reference.
I’ve setup a rule with the following code:

    function (user, context, callback) {
      var namespace = 'https://mydomain.com';
      context.idToken[namespace +"lp_sdes"] = user.user_metadata.lp_sdes;
      callback(null, user, context);
    }

And It works but the JWT returned like so:

    "https://mydomain.comlp_sdes": 
    {
      "type": "ctmrinfo",
      "info": {
        "cstatus": "cancelled",
        "ctype": "vip",
        "customerId": "138766AC",
        "balance": -400.99,
        "socialId": "11256324780",
        "imei": "3543546543545688",
        "userName": "user000",
        "companySize": 500,
        "accountName": "bank corp",
        "role": "broker",
        "lastPaymentDate": {
          "day": 15,
          "month": 10,
          "year": 2014
        },
        "registrationDate": {
          "day": 23,
          "month": 5,
          "year": 2013
        }
      }
    }
  ]

I need it to push in the meta data without the namespace, but it won’t trigger if I don’t declare the URL or the name space.

Any suggestions?

David

brian.hulick · August 7, 2017, 6:59pm

I believe this is the intended behavior as described here:

In order to improve compatibility for client applications, Auth0 will now return profile information in a structured claim format as defined by the OIDC specification. This means that it is no longer possible to add arbitrary claims to ID tokens or access tokens. Custom claims may still be added, but must conform to a namespaced format to avoid possible collisions with standard OIDC claims.
Are you able to modify the code that ultimately uses this token so that it looks for a claim named “https://mydomain.com/lp_sdes” rather than just “lp_sdes”?

davidr1 · August 7, 2017, 8:03pm

I had a feeling that I was limited due to what you have quoted, but I had to ask anyways.

Unfortunately, I cannot modify the application to accept a new name.
I guess I will have to either use an external user database or go with something like Node.JS to create and sign JWTs.

It’s a shame, I like Auth0

brian.hulick · August 7, 2017, 8:41pm

This is just my impression so I would definitely wait to hear from or reach out to someone with Auth0 as there may be ways of handling this that I’m unaware of.