Safety of Adding Fields to Access Token

arun2 · September 17, 2022, 4:36pm

I’m adding the organization name to my access token in a rule:
context.accessToken[namespace + 'org_name'] = context.organization.name.

This works, but I’m curious about the security aspect. Can this custom field be tampered with on the user side? Or is it encrypted in the same way as the default fields that are normally on the access token?

john.gateley · September 19, 2022, 1:41pm

Hi @arun2

The access token is signed, and the signature includes all claims including custom claims. Tampering with a custom claim will invalidate the signature.

As long as you properly verify the access token, you are good.

John

Topic		Replies	Views
Adding User Data in Access Token for Custom Authorisation Archived users , access-token	1	7158	November 29, 2017
Custom claims are not added in the token Archived access_token , custom-claims , missing-claims-afer-	6	9238	March 18, 2020
Bug: Access token missing custom fields added in rule Archived bug , jwt , rules , access-token	1	4604	March 5, 2018
Custom claims not added to access_token despite Rule Archived rules , access_token , custom-claims	20	24013	March 17, 2020
Custom claim appears when decoding access token but not in custom claims object Get Help extensibility , actions-extensibility	1	75	July 31, 2024

Safety of Adding Fields to Access Token

Related topics