I received the email from Auth0 regarding the upcoming change with the private custom claims for Actions/Rules/Hooks.
I checked on all my tenants with the provided log query and had no results on each.
I checked all rules/hooks/actions on each tenant and they are all already using namespaced custom claims on tokens.
Custom claims don’t appear to be larger than 100KB.
The only place where we’re not using namespaced claims is in user.app_metadata and user.user_metadata. Should we namespace the claims there as well or is it not needed?
It depends on whether you want the user.app_metadata and user.user_metadata appended to your access token/ID token. If you do not intend to use the information after decoding the access token/ID token, then it will not be necessary to include them.
On the contrary, if you intend to use the user_metadata or app_metadata for some logic, I recommend appending the user_metadata and app_metadata as custom claims to your tokens.
In short, you will only need namespaced custom claims if you intend to append them to an access token or ID token.
I hope that helps clarifies your questions.
Please let me know if you have any additional questions. I’d be happy to help.
I guess we only need the top level claim property to be namespaced. Something like this is fine, isn’t it?
// event.user.app_metadata is in the form
// { property1: "value1", property2: { property3: "value2" } }
api.accessToken.setCustomClaim("https://myDomain.com/metadata", event.user.app_metadata)