Is there a best practice for what info can be in access token

npatel · August 19, 2019, 12:33pm

Hi,

We are using Auth0 JWT based access_tokens to call our microservices. Now we want to include some additional info into it.

[
   {
      "profile_type":"ArtistProfile",
      "profile_name":"my artist view",
      "profile_id":1346777,
      "roles":[
         "analytics"
      ]
   },
   {
      "profile_type":"LabelProfile",
      "profile_name":"my company wide view",
      "profile_id":6918,
      "roles":[
         "analytics",
         "catalog",
         "accounting"
      ]
   }
]

These are user profiles / personas.

Question: Is it ok to send below profile info in access_token as Auth0 custom claims? We will be sending this token to our microservices. Does this violate any security standards as doc says keep access token free of user info and put them in id_token.

baskarrao.dandlamudi · August 19, 2019, 6:54pm

You can refer to the custom claims documentation here - JSON Web Token Claims

If the caller - client application and microservice which is an API, if both are in the same domain and controlled by your team, then it is fine to access them using either id_token or access_token. Though access_token is recommended.

When any third party is involved, it is recommended to use access_token with less user information.

James.Morrison · September 2, 2019, 10:54pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.