Hi there,
@ashish’s suggestion is ideal, but if you have a requirement to encrypt a claim at runtime, you can access Node’s crypto functions inside a rule and use them to create an encrypted or hashed custom claim. For example:
function (user, context, callback) {
//namespace for this custom claim
const namespace = 'hashed';
//import crypto functions
//docs: https://nodejs.org/docs/v8.16.2/api/crypto.html
const crypto = require('crypto');
//secrets go in the rules configuration object, not the code
//https://auth0.com/docs/best-practices/rules#store-security-sensitive-values-in-rule-settings
const secret = configuration.CRYPTO_SECRET;
//create an HMAC per docs above
const hash = crypto.createHmac('sha256', secret)
.update('read:articles')
.digest('hex');
context.accessToken[namespace + 'scopes'] = hash;
return callback(null, user, context);
}
This gives you access to Node’s entire cryptography ecosystem so the options are pretty broad.