I’m using a rule to add an email_verified property into the access token. If I add it as a custom claim (e.g. http://mydomain/email_verified) it works fine, however if I add it just as email_verified, it gets dropped.
Since email_verifiedis an OIDC standard claim (it’s in the list at Final: OpenID Connect Core 1.0 incorporating errata set 1), I’m wondering why it’s being dropped.
Is it only possible to add custom claims to the access token, not standard claims? Can you only add standard claims to id tokens? Anybody know why this is?
It’s important to have in mind that OpenID Connect only defines the concept of the ID token. In other words, this specification dictates that an ID token is a token using the JWT format and within that token standard claims also defined by the same specification will appear.
In other words, the list of standard claims you mention apply only to the ID token or the /userinfo endpoint as that is what the specification defines. An access token issued following OAuth 2.0 authorization framework can technically use any token format that the authorization servers chooses which then means that technically there’s no concept of standard claims for the access token (at leat within the OIDC specification).
At this time, access tokens issued by the Auth0 service will either use an opaque format or the JWT format; the format used will depend on the purpose of that access token and although the JWT specification itself also defines some standard claims I believe none would be controllable from rules so effectively for access tokens using rules you can only control custom claims.