Why are some claims visible at the Auth0 user profile and not in the id_token jtw payload?

lasse · November 26, 2021, 5:05pm

Hi there.

Why are some claims visible at the Auth0 user profile and not in the id_token jtw payload? I’m specifically missing the sid claim needed for Front Channel Logout, which is visible at the users prorfile at Auth0 after logging in with the OIDC, but it’s not visible in the decoded jwt payload.

For completeness: I’m building the app of off Laravel with the socialite Auth0 provider (GitHub - SocialiteProviders/Auth0: [READ ONLY] Subtree split of the SocialiteProviders/Auth0 Provider (see SocialiteProviders/Providers)).

Any help is appreciated

lasse · November 27, 2021, 8:59am

Just tried the Auth0 Laravel example app (GitHub - auth0-samples/auth0-laravel-php-web-app: Auth0 Integration Samples for Laravel Web Applications), and the decoded token_id payload doesn’t contain a sid (session id) claim eventhough the Auth0 user profile does:

Is Auth0 somehow masking the client_id claims?

lasse · November 28, 2021, 6:20pm

Solved it by adding the following rule to Auth0:


function addSidToIdToken(user, context, callback) {
  // This rule adds the authenticated user's session id (sid) to the id token.

  const namespace = 'https://example.com/';
  
  context.idToken[namespace + 'sid'] = user.sid;
  
  callback(null, user, context);
}

konrad.sopala · December 7, 2021, 2:35pm

Wooohooo! Glad you figured it out and thanks for sharing with the rest of community!