Auth0’s access token is in JWT format. Since the payload of JWT is encoded (base64), not encrypted, that means anyone with access token can read, but not modified the payload. Dose Auth0 allow me to hash/encrypt the scope or custom claims?
Hi @bo.liu I think you can hash/encrypt jwt claims via rules. There is no restriction on that. However JWTs are supposed to be lightweight, quick to process. Encrypting and decrypting adds additional overhead. IMO I would rather store the sensitive information in app_metadata and get it via GET /users/:id endpoint from backend instead.
@ashish’s suggestion is ideal, but if you have a requirement to encrypt a claim at runtime, you can access Node’s crypto functions inside a rule and use them to create an encrypted or hashed custom claim. For example:
function (user, context, callback) {
//namespace for this custom claim
const namespace = 'hashed';
//import crypto functions
//docs: https://nodejs.org/docs/v8.16.2/api/crypto.html
const crypto = require('crypto');
//secrets go in the rules configuration object, not the code
//https://auth0.com/docs/best-practices/rules#store-security-sensitive-values-in-rule-settings
const secret = configuration.CRYPTO_SECRET;
//create an HMAC per docs above
const hash = crypto.createHmac('sha256', secret)
.update('read:articles')
.digest('hex');
context.accessToken[namespace + 'scopes'] = hash;
return callback(null, user, context);
}
This gives you access to Node’s entire cryptography ecosystem so the options are pretty broad.