Is the namespace qualifier required in custom claims added by rules

Hi,

I’m trying to replace a Auth0 login flow proxy in my automated tests by a non-interactive flow as described here. But the token’s payload I get is different than the one from an interative flow, namely the custom data from app_metadata data is missing.

I’ve already read this thread and this documentation page to add customs claims to a token response and I succeeded in adding data in the response’s access_token based on the user’s app_metadata but the naming cannot be the same as in the interactive flow’s JWT it seems. That’s my problem.

From the interactive flow, I get:

"app_metadata": {
   "roles": "doc", "admin"],
   "stores": {
         "id": "store1.example.com",
         "roles": "admin"]
      }, {
         "id": "store2.example.com",
         "roles": "admin"]
      }
   ]
},
"stores": {
      "id": "store1.example.com",
      "roles": "admin"]
   }, {
      "id": "store2.example.com",
      "roles": "admin"]
   }
]

But, in the non-interactive flow, I must add a namespace identifier for the claim otherwise it’s simply dropped… Using this rule, I managed to achieve:

Custom Rule

function (user, context, callback) {
  context.accessToken'http://we.dont.care/stores'] = user.stores;
  context.accessToken'http://we.dont.care/roles'] = user.roles;
  callback(null, user, context);
}

Which leads to

"http://we.dont.care/stores": {
      "id": "store.acme.com",
      "roles": "admin"]
   },
   {
      "id": "other.store.com",
      "roles": "admin"]
   }
],
"http://we.dont.care/roles": "doc", "admin"],

Can we achieve the same naming? Why is the http://we.dont.care/ identifier prefix necessary?

Thanks a lot

Bump! Any insight from Auth0 on this? :slight_smile:

It appears that your existing login flow is using the legacy flows while the new non-interactive flow is using the new OIDC conformant flow. In this new flow, only the standard claims are returned by default in the user profile and the legacy flows would return the full data in the user profile. As you’ve found, in the OIDC conformant flows, you can add custom claims using a rule and namespacing them. The recommendation is to migrate to the new OIDC conformant flows and use this namespaced claims.

You can read more about it here:

Migrate from Legacy Authentication Flows

OpenID Connect Scopes

OpenID Connect Protocol

Applications in Auth0