Cannot add standard claim to accessToken, only to idToken

I’m using a rule to add an email_verified property into the access token. If I add it as a custom claim (e.g. http://mydomain/email_verified) it works fine, however if I add it just as email_verified, it gets dropped.
Since email_verified is an OIDC standard claim (it’s in the list at https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims), I’m wondering why it’s being dropped.

Is it only possible to add custom claims to the access token, not standard claims? Can you only add standard claims to id tokens? Anybody know why this is?

Thanks,
Frans

It’s important to have in mind that OpenID Connect only defines the concept of the ID token. In other words, this specification dictates that an ID token is a token using the JWT format and within that token standard claims also defined by the same specification will appear.

In other words, the list of standard claims you mention apply only to the ID token or the /userinfo endpoint as that is what the specification defines. An access token issued following OAuth 2.0 authorization framework can technically use any token format that the authorization servers chooses which then means that technically there’s no concept of standard claims for the access token (at leat within the OIDC specification).

At this time, access tokens issued by the Auth0 service will either use an opaque format or the JWT format; the format used will depend on the purpose of that access token and although the JWT specification itself also defines some standard claims I believe none would be controllable from rules so effectively for access tokens using rules you can only control custom claims.

1 Like