Is it safe to add Auth0 user_id in the access token custom claims?

I’m using a post-login Auth0 action to call my application backend, passing the Auth0 internal user_id in the body

My backend returns the corresponding database_user_id (the ID for this user in our database)

Then I add both the Auth0 internal user_id and database_user_id as custom claims in the access token:

// Auth0 post-login action

// .. call our backend

if (response.data.database_user_id) {

   api.user.setAppMetadata("database_user_id", response.data.database_user_id);

   api.accessToken.setCustomClaim("https://myapp.com/database_user_id", 
      response.data.database_user_id);
         
   api.accessToken.setCustomClaim("https://myapp.com/auth0_user_id", event.user.user_id);

    } else {
        api.access.deny()
}

The reason is that I can then ensure the token is valid in our backend middlewares, and also easily extract the user_id and database_user_id

But I’m wondering if this is safe to do?

Hi @Kada , thank you for posting!

The sub claim (a user id to which the access token has been issued by the authorization server) is a standard oauth2.0 claim an access token consists of. The custom claim you attach is of the same kind of information and also land in the token payload. This makes me think that, as long as you keep your database safe, you’re good.

Generally speaking, the recommendation is to avoid attaching user’s sensitive data to the access token payload. At the same time, resource servers need to know the user id in order to grant relevant, user’s scope-based resources.

If you didn’t have a chance before, you can learn more here - Token Best Practices.

If there are more questions you would like to discuss, please let us know!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.