Best practices for custom claims using OIDC-conformant Auth0.js

I don’t think it’s fully wrong, but it’s definitely not a best practice.

  1. For starters, you’re completely throwing out a couple of OIDC features. For instance, you’re giving up the normalized user profile Auth0 provides, which you would get if you were to use scopes like email, profile, address and phone.

  2. There’s also the issue of oversharing: do you really want the user (because they’re capable of viewing and decoding the ID token) to see literally everything in their profile?

  3. You run into the risk of making your token too big. The token is sent back to your app as a URL hash and that means you can run into the maximum URL length. You wouldn’t be the first: The generated token is too large - #2 by jmangelo

So, I’d say for those three reasons (not in the spirit of OIDC, oversharing and risk of an oversized token), I wouldn’t advice it. But again… it’s a bit of a grey area.

Anyone else with more experience (or, fingers crossed, an Auth0 employee) who can help out here?

1 Like