What Restrictions Apply To The `roles` Claim?

Hello, I know there are alreay many threads about roles in tokens, and I managed to get it working with Next Auth, as I outlined in my answer here: next.js - Requesting User Roles With Auth0 And Next Auth - Stack Overflow

However, I’m still stlightly confused, the custom claim documentation says that roles is a restricted claim, but I wonder, is there any way to use it for displaying roles? I didn’t get it to work with the claim roles, only https://example.com/roles, although, after rereading the documentation, maybe the problem was not the namespace but the restriction of the claim roles. But anyway, what are the restrictions for the claim roles and is it possible to work within them?

Hey @klausgy welcome to the community!

roles is indeed a restricted claim, and cannot be used directly as a claim to add roles in token(s) as you’ve seen.

The restriction is on the use of the string roles as a custom claim itself - You can either use a custom namespace as you’ve demonstrated OR something like userRoles would also work. This is just in an effort to avoid any potential collisions while adhering to OIDC/OAuth protocols.

Hope this helps to clarify!

Thanks a lot for the answer! Yes, it makes sense, but I wonder, does that meaan that the roles claim will always be undefined? Or is it possible to activate it somehow, not as a custom claim, but as the claim it is reserved for?

1 Like

No problem, happy to help!

Even if you attempt to add roles as a custom claim it will just be ignored altogether, so it is more or less just off limits. I will note that it is common practice to infer roles from permissions so the extra step to add the actual roles as custom claims by way of a rule/action is not necessarily required.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.