Is it a security risk to include sensitive PII such as date of birth, email address, and phone number directly in an OpenID Connect ID token (id_token)? My development team insists this aligns with industry standards and is mitigated by controls like ensuring the token never leaves the user’s device and implementing TLS for all communications— but I’m concerned about PII etc, is it acceptable approach.
Welcome to the Auth0 Community!
Thank you for posting your question. Your concerns are valid. PII data needs to be treated with extra care, and worrying about that in tokens is a good instinct, not paranoia. In Auth0 and OIDC, ID tokens are JWTs intended for your application, primarily to verify the user’s identity and to convey basic profile data for the UI. OIDC defines standard “profile” claims (name, family_name, birthdate, email, phone, etc.), and these can be delivered in the ID token or via the UserInfo endpoint, depending on scopes and configuration. → Final: OpenID Connect Core 1.0
My best advice would be to follow the Best Practice with token guide from here → Token Best Practices as each situation can be treated differently.
Thanks!
Dawid
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.