Add custom claims to /userinfo but NOT id_token

chargraves · October 27, 2021, 3:58pm

Is this possible? The only way I’ve been able to get /userinfo to return custom into is to have a rule add claims to the context.idtoken[mynamspace].

Is there any way to avoid putting data in the id_token that I want to get with userinfo calls?

rueben.tiow · October 27, 2021, 11:33pm

Hi @chargraves,

Welcome to the Auth0 Community!

Unfortunately, there is no way to add custom claims to the /userinfo endpoint.

First, you can only make a GET request to the /userinfo endpoint, meaning that you can only read the data.

Next, the recommended way for adding custom claims is by using a Rule as you have done so. This is also described in our docs here.

Unfortunately, there isn’t any way to call the /userinfo without the already appended custom claims. This is because, in the authorization flow, rules are triggered immediately after a successful login. Therefore, the tokens you request will always have the custom claims included.

In this scenario, there are a couple of options. You could either disable the rule completely, but I don’t believe this is what you want.

Or, you could filter the results from the /userinfo request for only the claims you want.

Please let me know if you have any further questions.

Thank you.

rueben.tiow · December 14, 2021, 1:48am

Hi @chargraves,

It’s been some time since I have heard from you.

I believe I may have misunderstood your question and wanted to address it again.

Unfortunately, it is not possible to specifically add custom claims to the /userinfo endpoint. If you must retrieve custom claims from the /userinfo endpoint, you must write a Rule that appends the custom claims to the id token.

Doing so will allow you to call the /userinfo endpoint to retrieve the custom claims:

function (user, context, callback) {
 const namespace = 'https://myapp.example.com';
 const custom_claim = "YOUR_CUSTOM_CLAIM";

 let idTokenClaims = context.idToken || {};

 idTokenClaims[`${namespace}/custom_claim`] = custom_claim;

 context.idToken = idTokenClaims;

 return callback(null, user, context);
}

Please let me know if there are any further questions. I’d be happy to help.

Thank you

studio.telephus · January 26, 2024, 2:57pm

Does /userinfo return custom ID-token claims that are not added to the access token?

Use case - make the heavier claims available to stateless downstream API-s from /userinfo, while keeping the access token light. ID token stays in the frontend, it is not passed to downstream requests.

rueben.tiow · January 29, 2024, 7:10pm

Hi @studio.telephus,

Yes, the /userinfo does return custom ID Token claims.