Auth0 Home Blog Docs

Correct way to request userinfo claims (OIDC client)

oidc-conformant
custom-claims
claims

#1

I’m trying to conform to the openid-connect 1.0 spec. Section 5.5 specifies that the “claims” parameter is optional to request that specific Claims be returned.

When supplying a claims parameter to the /authorize endpoint, I get the following log error:

{
  "body": {},
  "qs": {
    "claims": "%7B%22userInfo%22%3A%7B%22https%3A%2F%2Fme.com%2Fpermissions%22%3Anull%7D%7D",
    "response_type": "code",
    "client_id": "SogZ8yNPaHAdiiWKcpERY7u8nuRvm2tc",
    "redirect_uri": "http://auth0.me.com/auth/auth0/callback",
    "scope": "openid openid profile email",
    "state": "+Rf0Scm+NsLDbZ6NlRcZ6ZZn"
  },
  "error": {
    "message": "Failed to parse claims as JSON",
    "oauthError": "invalid_request",
    "type": "request-error"
  }
}

Auth0 docs for the /authorize endpoint seems to disagree by requesting that custom claim requests be added to the scope parameter.

Am I reading the OpenID-Connect spec incorrectly? Is there a specific way I need to format the claims parameter value to be parsed as JSON correctly?


#2

At this time, that method of requesting claims is not supported so you should use the scope method as the way to request end-user information that you want to have available for the client application (either in the ID token or user information endpoint). As an additional note, based on the error and log entry values the reason for the error may be due to double encoding of the JSON value, however, given this is not supported I would not even try to get pass that hurdle as it will would likely result in other issues or the parameter request just being ignored.


#3