Auth0 Home Blog Docs

Custom claims without namespace

custom-claims
aws

#1

I’m trying to set up role based access with Auth0 and federated web identities on AWS (without Cognito). I have configured an OIDC provider, as described in the aws integration docs, and I have successfully attached custom claims to the id_token, namespaced, as enforced by Auth0. However, due to some limitations at AWS’ end, it is not possible to attach a trust policy to a role that are based on custom claims that are namespaced. So this does not work:

AuthorizedAdminRole:
Type: “AWS::IAM::Role”
Properties:
RoleName: “AuthorizedAdmin”
AssumeRolePolicyDocument:
Statement:
- Effect: “Allow”
Principal:
Federated: !Ref OpenIdProviderArn
Action:
- “sts:AssumeRoleWithWebIdentity”
Condition:
StringEquals:
xxxxxx.auth0.com/:aud”: “auth0 client id”
StringLike:
xxxxxx.auth0.com/:https://mynamespace.com/role”: “admin”

Reason it does not work is that AWS does not allow multiple colons in the key of a policy condition.

So I was hoping that by disabling strict OIDC compliance in my Auth0 configuration, I should be able to attach claims that are not namespaced. But to my surprise, Auth0 still filters those claims from the id_token.

Is there any setting at all I can set/unset to make this happen?


#3

Hey @nilsga

As it has been more than a few months since this topic was opened and there has been no reply or further information provided from the community as to the existence of the issue we would like to check if you are still facing the described challenge?

We are more than happy to assist in any way! If the issue is still out there please let us know so we can create a new thread for better visibility, otherwise we’ll close this one in week’s time.

Thank you!


#4

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.