Auth0 Home Blog Docs

Is it safe to send sensible information via custom claims?


is it safe, assuming the callback URL working on https, to add to the idToken, as custom claims, sensible information?(e.g. username and password to an external app, associated to the user being authenticated).

At risk of sounding overly cautious: no.

A big factor here is if the app is a SPA or server side app. If it’s a SPA, then the answer is NO. The user can read the ID token too and take the password from there.

If it’s server side (and you set everything up well), your user shouldn’t be able to see the content of the token and therefore the password. However, you should never store passwords in plain text, so the question then becomes how you can know the password in the first place.

If you want to grant access to a third service, a better way to do it would be using Auth0’s implementation of APIs. That means adding an audience to your Access Token which grants the user limited time access to the API using said Access Token (clue is in the name).

1 Like

Hi thijmen96,

thank you for the prompt feedback. I get your point, it’s very clear.
I probably wasn’t very clear instead with my question, the username and password was just an example, not the real case.
My doubt is about the confidentiality of the communication between the Auth system and my app, it would be totally fine if the authenticating(ed) user might read the data exchanged, it’s probably sensible data he already provided at some point before (as another example, could be a ccn, bank account #, paypal credentials, ssn, etc.). My concern is about third parties, not explicitly authorized, being able to sniff the idToken data somehow (e.g. embedding my login page, using a malicious browser plugin, etc.) .
In a nut, I assume I can use metadata as a trusted repo (for a limited amount of data, of course), can I also assume the token exchange mechanism being a fully trusted comm channel to retrieve the data from that repo?