Is there a best practice for what info can be in access token

Hi,

We are using Auth0 JWT based access_tokens to call our microservices. Now we want to include some additional info into it.

[
   {
      "profile_type":"ArtistProfile",
      "profile_name":"my artist view",
      "profile_id":1346777,
      "roles":[
         "analytics"
      ]
   },
   {
      "profile_type":"LabelProfile",
      "profile_name":"my company wide view",
      "profile_id":6918,
      "roles":[
         "analytics",
         "catalog",
         "accounting"
      ]
   }
]

These are user profiles / personas.

Question: Is it ok to send below profile info in access_token as Auth0 custom claims? We will be sending this token to our microservices. Does this violate any security standards as doc says keep access token free of user info and put them in id_token.

You can refer to the custom claims documentation here - https://auth0.com/docs/scopes/current/custom-claims

If the caller - client application and microservice which is an API, if both are in the same domain and controlled by your team, then it is fine to access them using either id_token or access_token. Though access_token is recommended.

When any third party is involved, it is recommended to use access_token with less user information.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.