This follows a recommendation from the OIDC specification stating that custom claim identifiers should be collision-resistant. While this is not mandatory according to the specification, Auth0 will always enforce namespacing when performing OIDC-conformant login flows, meaning that any custom claims without HTTP/HTTPS namespaces will be silently excluded from tokens.
Is this not a little over opinionated? The spec clearly states:
Alternatively, Private Claim Names can be safely used when naming conflicts are unlikely to arise, as described in the JWT specification.
I know that the claims our application will be using will not clash with anything else, yet Auth0 has enforced an optional part of a specification?!?