Custom claims require "http://" or "https:" prefix but only sometimes?

GeorgeCLT · July 2, 2020, 2:32pm

We are running into problem with JWT token length as exchange in URL given our payload.

We have added a number of custom claims which adds to to the size, especially repeating the namespace.

We have experienmented with shorter (unique random) name spaces and we have observed different behavior of Auth0 when it comes to rules and final idToken.

In existing US tenant we can use a shorter 10 character random name.
In exiting EU tenant we cannot unless we prefix it with either http:// or https:// why is there a requirement for using up to 6 extra characters in EU for namespaces?

In other words in EU we have to use
{
“https://82739hhydf”: “blue”,
}

While in US we can use
{
“82739hhydf”: “blue”,
}

We have checked the OpenId requirments and there is no requirement that a namespace has to be prefixed with extra http or https.

Where is this requirement coming from? Why is it applied differently across tenant? Can it be removed?

Here are the details from OpenId:

Final: OpenID Connect Core 1.0 incorporating errata set 1

5.1.2. Additional Claims

While this specification defines only a small set of Claims as standard Claims, other Claims MAY be used in conjunction with the standard Claims. When using such Claims, it is RECOMMENDED that collision-resistant names be used for the Claim Names, as described in the JSON Web Token (JWT) [JWT] specification. Alternatively, Private Claim Names can be safely used when naming conflicts are unlikely to arise, as described in the JWT specification. Or, if specific additional Claims will have broad and general applicability, they can be registered with Registered Claim Names, per the JWT specification.

Thanks,
George.

john.gateley · July 2, 2020, 3:51pm

Hi @GeorgeCLT

Namespaces are arbitrary identifiers as you note. What error are you getting when trying to remote the http/https in the EU tenant?

John

GeorgeCLT · July 2, 2020, 6:31pm

John:
thanks for confirming. No error is thrown that we can find. When attaching Real Time Webtask logs we would see the console output we are adding data to token... from the code below. No errors are shown, however, the returned token would not contain the values.
The values would only be in the token when we prefix the namespace with http:// or https://.
e.g. this works: var namespace = “http://a8987sfdh”;

  var namespace = "a8987sfdh";
  if (context.idToken && user.user_metadata) {
    console.log("we are adding data to token...");
    // add extra data to token
    if (user.user_metadata.first_version) context.idToken[namespace + 'first_version'] = user.user_metadata.first_name;

john.gateley · July 6, 2020, 3:53pm

Hi @GeorgeCLT

The docs are confusing on this point. It should actually be namespaced properly. See the yellow box here:

John

john.gateley · July 6, 2020, 3:56pm

I have made a request to have the docs improved.

Thanks!

John