Auth0 Home Blog Docs

Custom claims without namespace

custom-claims
aws

#1

I’m trying to set up role based access with Auth0 and federated web identities on AWS (without Cognito). I have configured an OIDC provider, as described in the aws integration docs, and I have successfully attached custom claims to the id_token, namespaced, as enforced by Auth0. However, due to some limitations at AWS’ end, it is not possible to attach a trust policy to a role that are based on custom claims that are namespaced. So this does not work:

AuthorizedAdminRole:
Type: “AWS::IAM::Role”
Properties:
RoleName: “AuthorizedAdmin”
AssumeRolePolicyDocument:
Statement:
- Effect: “Allow”
Principal:
Federated: !Ref OpenIdProviderArn
Action:
- “sts:AssumeRoleWithWebIdentity”
Condition:
StringEquals:
xxxxxx.auth0.com/:aud”: “auth0 client id”
StringLike:
xxxxxx.auth0.com/:https://mynamespace.com/role”: “admin”

Reason it does not work is that AWS does not allow multiple colons in the key of a policy condition.

So I was hoping that by disabling strict OIDC compliance in my Auth0 configuration, I should be able to attach claims that are not namespaced. But to my surprise, Auth0 still filters those claims from the id_token.

Is there any setting at all I can set/unset to make this happen?