Why custom rules's namespace has to be my tenant url

hello,
I created a rule to have user_metadata in the endpoint /userinfo. It works but It seem I cannot use anything else than my tenant for the namespace.

function (user, context, callback) {
  const namespace = 'https://foo.bar.john.doe.auth0.com/';
  context.idToken[namespace + 'user_metadata'] = user.user_metadata;
  callback(null, user, context);
}

…which make my json key quite weird

{
    "sub": "auth0|5dasf4e923ddasdfs0e78798",
    "nickname": "jd",
     ..........
    "https://foo.bar.john.doe.auth0.com/user_metadata": { <---------- here !
        "user_metadata": {
            "description": "lorem ipsum dolore sit amet"
        }
    }
}

I tried to use another namespace like app_custom or whatsoever, but then the custom rule disappear from my json result. Why ?

thanks

Hi @saytaine,

In short, this prevents custom claims for clashing with the list of standardized claims and future standard claims. You can make the namespace whatever you want, as long as it follows that pattern.

We are following the guidelines set forth in the OIDC specification. It is part of making your application OIDC conformant.

OIDC Core Section 5.1.2 Additional Claims:

While this specification defines only a small set of Claims as standard Claims, other Claims MAY be used in conjunction with the standard Claims. When using such Claims, it is RECOMMENDED that collision-resistant names be used for the Claim Names, as described in the JSON Web Token (JWT) specification. Alternatively, Private Claim Names can be safely used when naming conflicts are unlikely to arise, as described in the JWT specification. Or, if specific additional Claims will have broad and general applicability, they can be registered with Registered Claim Names, per the JWT specification.

Hope this helps,
Dan

1 Like

Thanks for your reply @dan.woda
If I understand correctly, that means I have to use a namespace like app.custom or www.app.custom to follow the standards. Am I correct ?
thanks

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.