/userinfo endpoint


We are migrating from Identity server to Auth0 and in Identity server, we were using ‘reference token’ which is small fixed length string which hold identifier for user custom claims. To get custom claims, we need to make call to introspect endpoint to get custom claims details.
Now, in Auth0 we came across opaque token which is somewhat similar as reference token but not exactly.
Currently, this opaque token can be used with only ‘/userinfo’ endpoint but also this endpoint does not return any custom claims which added into ‘AccessToken’ through ‘Auth0 Rule’ as below:

Recently, we came across the updates mentioned on ‘Deprecation & Migration’ (Deprecations and Migrations) i.e.
" If your tenant is running extensibility code ([Rules]/ [Hooks]/ [Actions]) that tries to set non-namespaced custom claims that are being ignored until this deprecation, then those claims will begin to appear on the tokens and the /userinfo response. We recommend you review your configuration and Auth0 logs.".
So, my question here is that, can we expect the custom claim in ‘/userinfo’ endpoint which added into access token through rule based on above mentioned updates or this applies only for Id Token and not for access token?

Jaydeep S

Hi there @Jaydeeps03!

The data returned by the userinfo endpoint will be specific to the ID token (including custom claims) and not the Access token. Custom claims added to an AT via extensibility will only be available in the token itself. In order for an AT to be non-opaque, an audience will need to be included - Some more on that here:

Hope this helps!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.