I have a Regular Web App and an API. Both are secured through JWT. In my web app, I modified the identity token with Auth0 rules to add some custom claims. Essentially I add if the user will be an administrator or not.
When I access my user claims in my web app, I get all regular claims + my custom claims. In my web API, I want to be able to access these custom claims. When I call my API from my app, I sent the access token in an authorization header. But all the user claims are lost and only the claims in the access token are present (i.e. issues, audience, etc.). How do I also pass my claims from the identity token? Or can I even just add a custom claim to the access token?
I know I can just create an object from my application and call the API with these values. But I wanted to know if there was a more secure way of sending this data over. I do not want a regular user who is authenticated to potentially fake this data to be sent.
My regular web app uses Authorization Code grant to get both an access token and a refresh token for my API. The API is secured through both basic authentication and also policy based authorization for specific actions. The reason I can’t use a policy in this case is because I need to check if the access token has an administrator claim in some logic for my API.
How would I go about doing this? Is there an example I could follow to add the custom claim to the access token used to call my API?