Add custom claims to a self-generated JWT

kurt.sys · July 12, 2020, 7:17pm

Context: I’m using hasura which allows me to authenticate basically in 2 ways (well, 4, but only 2 apply): JWT or admin key. Since I don’t want to expose the admin key in any other service, I want to use JWT. My first idea was to use the generated JWT inside the rule, but since there’s no JWT generated yet (since we can add claims), that’s not an option.
This means that I need to generate a JWT with custom claims. I know I can generate JWTs with the APIs, but they do not contain the necessary (custom) claims, like:

{
  "https://hasura.io/jwt/claims": {
    "x-hasura-default-role": "user",
    "x-hasura-allowed-roles": [
      "user"
    ],
    "x-hasura-user-id": "something-whatever"
  },
  "iss": "...",
  "sub": "something-whatver",
  "aud": [
    "...",
    "....auth0.com/userinfo"
  ],
  "iat": 1594579306,
  "exp": 1924991999,
  "azp": "...",
  "scope": "openid profile email"
}

Or: how can I generate a JWT with custom claims? (Auth0 doesn’t expose the private signing key, so I can’t generate it using that key. I hope there is a way to generate JWTs with custom claims.)

Thanks, Kurt

fyio: this is not about adding custom claims to JWTs that are send back to a user who logs in. There are rules to do that, that’s not the problem. I want to enrich the profile of the user logging in by doing a call to another service, which needs an JWT for auth. It is about generating a JWT that can be used as ‘api key’ for another service.

thameera · July 13, 2020, 1:30am

Hey @kurt.sys, do you want to generate a JWT within a rule and call an API from there itself? In that case, you may have to generate that with your own client ID/secret pair or your own public/private key pair.

There’s an example here: rules/jwt.js at master · auth0/rules · GitHub (only the JWT creation part of that example is applicable here)

If the API is called after the user logs in, then you can use the Auth0-generated access token.

kurt.sys · July 13, 2020, 6:39am

If I understand well, in the case of the JWT generated within a rule, I can’t sign it with the auth0 private key? That would mean that my external service needs to accept JWTs signed by 2 different keys, which is not possible. On me external service, I set the public key of auth0 to verify any call. On that service, or a authenticated user makes requests (which works fine), or an auth0 rule makes a request. Both requests need to send a JWT signed by the same key.
Is it possible to generate a JWT within a rule, using the private key of auth0?

thameera · July 13, 2020, 7:43am

That’s right. The tenant’s private key is accessible to the tenant only, and it’s not possible to sign other tokens with it. One workaround might be to call the API after authentication (though it might not work for your use case).

kurt.sys · July 13, 2020, 8:11am

Yeah, but that won’t work: I want to enrich the JWT payload. After login is obviously too late :). Too bad, not sure how to solve this properly right now.

stefdelec · August 30, 2021, 2:15pm

I have the same problem.
Any update on this?

thameera · August 31, 2021, 2:21am

If you want to enrich the JWT that is issued from Auth0, you can do it by adding custom claims in the rules/actions but you cannot access the final token there, because the token is generated after all these are completed. This is not something that will likely be changed.

However, you can create your own JWT with your own secret/private key if that works.

konrad.sopala · August 31, 2021, 9:14am

Thanks Thameera for helping on this one!

system · September 15, 2021, 9:15am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.