Auth0 Home Blog Docs

Adding user's claims to JWT

Hello,
I am using Auth0 to authenticate to Angular SPA application. I have rules setup to add more claims to user profile from users’ application metadata (more specifically ‘employeeid’ and ‘roles’ ).
Then SPA application gets jwt token to call secure REST web service (asp.net core) via:
return this.auth0Client$.pipe(
concatMap((client: Auth0Client) => from(client.getTokenSilently(options)))
);

However token doesn’t have any of the users claims. How can I add those claims to jwt token?

Thank you

There’s reference information about adding custom claims to issued tokens at (https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims#custom-claims). In that page there’s a rule example for adding claims to an ID token, but a very similar approach would also apply to the access token.

You did not share the rule you are using to try to add the claims so it’s complex to guess the exact possible issue, but it’s important to note that custom claims need to be namesspaced as mentioned in the documentation.

Also you refer to the token using the format (JWT) the token uses, however, the service can issue different types of tokens and each will have one or more associated formats. For example, an ID token is always a JWT, but an access token issued for API Authorization will currently also default to be a JWT. In other words, it’s best to be explicit and refer to the type of token instead of the format.

You mention it is a JWT to call an API so assuming you defined this API in your Auth0 dashboard you would need to add claims to the access token.

Thank you for your prompt reply. Allow me to clarify a few things.
I have the following configured in auth0 dashboard:

  1. A single page application lets call it “SecureSPA” it’s a single page application
  2. A custom API with “API Audience” setup as “http://api.authspa.com

SecureSPA app is based on a sample application generated by Auth0 for Angular SPA applications. Where users can login, self register, and get authenticated into the app.
SecureSPA gets user info through auth0Client$ in auth.services.ts (generated by sample app). One of the config parameters when creating auth0Client$ is audience: ‘http://api.authspa.com
SecureSPA also needs to make http calls to authorized REST api (configured in auth0 dashboard). It gets (an access?) token in auth.services.ts via client.getTokenSilently(options) (code generated by a sample app)

After users self registered, I manually added application meta data with “employee” id for each user. And setup the following Rule based"Set roles to a user" auth0 template:

auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
.then(function () {
context.idToken[‘https://AuthSpa.com/roles’] = user.app_metadata.roles;
context.idToken[‘https://AuthSpa.com/employeeid’] = user.app_metadata.employeeid || ‘na’;
callback(null, user, context);
})
.catch(function (err) {
callback(err);
});
}

The rule works when user logs into SPA app, I see all the claims and roles in user Profile. But when SPA app makes calls to Secure SPA application with the token, I dont see any claims or roles in the Access token used for REST API calls. Do I need another rule for API access token? Please advise.
I hope this information make it more clear what I am trying to do.

With that rule you are only adding claims to the ID token which is the token the client application validates and extracts user information from.

If the API that will be called with the access token will also need equivalent information you can update the rule to also perform the following:

context.accessToken[‘https://AuthSpa.com/roles’] = user.app_metadata.roles;
context.accessToken[‘https://AuthSpa.com/employeeid’] = user.app_metadata.employeeid || ‘na’;

The above includes the same two custom claims into the access token due to the use of context.accessToken. The API that validates this access token can then extract this information.