Hey there, I’ve been implementing the “Delegated Admin Extension” by following the docs here.
In the step “Add user roles to the DAE namespace in the ID Token using this rule”, I’m not using a rule but an action, and I don’t understand which namespace we should use for it.
These namespace identifiers are reserved and prevent custom claims from conflicting with the list of standardized claims defined by the OIDC specification.
And, having looked closely at your namespace identifier, it appears that you used your Auth0 domain name as part of the URL. The correct value that you should set should look something similar to:
https://example.com/auth0-delegated-admin
Instead of using example.com, you can use your own uniquely defined namespace identifier in the URL.
Doing so will add user roles to the DAE namespace in the ID token.
Please let me know if there are any questions. I’d be happy to help.
Instead of using example.com , you can use your own uniquely defined namespace identifier in the URL.
What would be my uniquely defined namespace?
Shouldn’t the namespace be the target application URL?
From my experience, I thought the application only accepted a claim that is namespaced with its URL (or audience?). But I may be wrong, if you can point me to the correct understanding, I would be appreciated!
In short, you need to use a URI as the namespace for custom claims. Note that using any arbitrary identifier can remove the custom claims from the token if there’s a conflict with the same namespace.
Use a URL that you control as a namespace identifier; this allows you to avoid the risk that someone else is using the same namespace. The namespace URL does not have to point to an actual resource. It is only used as an identifier; it will not be called.
Therefore, your namespace should be in the format:
I still don’t get it quite well.
It seems I can put anything I want in the namespace. What would forbid me to put https://google.com/auth0-delegated-admin?
Right now I have it working with a domain I don’t control which is:
https://example.com/auth0-delegated-admin
I understand that auth0 says I should use a domain I control, but what if I don’t? What happens? Can I interfere with someone who owns that domain? What if someone users serpa.com (let’s imagine this is my domain) for their namespace?
Thank you for your response and, I’m sorry for the delayed reply.
I understand your concerns and, thank you for asking these clarifying questions.
First, nothing is stopping you from using https://google.com/auth0-delegated-admin as your namespace.
However, let me clarify namespaces in more detail.
Generally, namespaces are invented names, typically using your registered domain to avoid possible collisions with standard OIDC claims.
Of course, it is possible for anyone to coincidentally invent and use the same namespace as you (i.e https://www.serpa.com/), however, this is typically not best practice and would run the risk of namespace collisions.
For example, if someone does decide to hijack a namespace, then they run the risk of breaking the interoperability between systems exchanging JWT for authorization.
As defined by the JWT specification, namespaces are required to be unique (collision-resistant) to prevent name collisions, including the reserved namespaces defined by Auth0, specifically, auth0.com, webtask.io, and webtask.run.
Hoped this helps! Please let me know if there are any questions.