Hash/encrypt scopes in access token

Hi There,

Auth0’s access token is in JWT format. Since the payload of JWT is encoded (base64), not encrypted, that means anyone with access token can read, but not modified the payload. Dose Auth0 allow me to hash/encrypt the scope or custom claims?

Thanks,

1 Like

Hi @bo.liu I think you can hash/encrypt jwt claims via rules. There is no restriction on that. However JWTs are supposed to be lightweight, quick to process. Encrypting and decrypting adds additional overhead. IMO I would rather store the sensitive information in app_metadata and get it via GET /users/:id endpoint from backend instead.

Hi @ashish, I never thought we can rules in this way. This is very helpful, thanks! Also I found some example from Auth0: https://auth0.com/docs/rules/references/samples

2 Likes

Hi there,

@ashish’s suggestion is ideal, but if you have a requirement to encrypt a claim at runtime, you can access Node’s crypto functions inside a rule and use them to create an encrypted or hashed custom claim. For example:

function (user, context, callback) {
 
//namespace for this custom claim
  const namespace = 'hashed';
  
  //import crypto functions
  //docs:  https://nodejs.org/docs/v8.16.2/api/crypto.html
  const crypto = require('crypto');
  
  //secrets go in the rules configuration object, not the code
  //https://auth0.com/docs/best-practices/rules#store-security-sensitive-values-in-rule-settings
  const secret = configuration.CRYPTO_SECRET;
  //create an HMAC per docs above
  const hash = crypto.createHmac('sha256', secret)
                   .update('read:articles')
                   .digest('hex');
  
  context.accessToken[namespace + 'scopes'] = hash;
  return callback(null, user, context);
}

This gives you access to Node’s entire cryptography ecosystem so the options are pretty broad.

1 Like

Thanks @matt.macadam! This is exactly what I am looking for!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.