- Creating persistent custom claims
- Creating a unique session ID
- Propagating tenant identifiers
- Managing transient data from upstream identity providers (IDPs)
- Enhancing security and fraud detection
Create persistent custom claims
Refresh token metadata and session metadata together lets you create persistent custom claims to extend information contained within ID and access tokens. Using persistent custom claims, you can access application specific data, such as:- User roles
- Permissions
- Tenant IDs
- And other attributes necessary for authorization and personalization across refresh token exchanges.
api.refreshToken.setMetadata() object.
custom claim Action example
post-login Action trigger can access these custom claims, using the event.refresh_token.metadata object and apply them to newly issued refresh tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
A single
post-login Action can handle different grant_type scenarios using the event.request.body.grant_type object to manage claim persistence. The event.refresh_token object is read-only available during refresh token exchanges.Create a unique session ID
Refresh token metadata and Session metadata together let you create a unique session ID to implement a persistent session identifier that is carried across the entire lifespan of a user’s session, including during refresh token rotations. Using unique session IDs, you can:- Accurately log a user’s session for debugging and auditing purposes.
- Provide a mechanism for applications to track internal session state.
- Enable APIs to provide granular logging, rate limiting, and contextual authorization decisions.
- Apply consistent UX experiences that span multiple token lifecycles.
api.session.setMetadata() and api.refreshToken.setMetadata() objects.
Add the unique session ID, as a custom claim to the ID and access tokens, using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
unique session ID Action example
event.refresh_token.metadata object, and apply them to newly issued refresh tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
Create a tenant identifier
Refresh token metadata and session metadata together let you create a persistent tenant identifier to manage multi-tenant applications, where a single instance of an application serves multiple customer organizations, that is carried across the entire lifespan of a user’s session. Using a persistent tenant identifier, you can:- Add dynamic access control to easily enforce tenant-specific permissions in your applications and APIs
- Create a tailored user experience to deliver content and features relevant to the user’s current tenant context
- Simplify multi-tenancy logic by centralizing tenant identification and propagation within Auth0
- Enhance security by preventing accidental cross-tenant data exposure by ensuring consistent tenant context in all tokens
- Improve scalability by reducing the need for repeated database queries or complex logic to determine tenant context on every API call or token refresh
ext-tenantId value provided during the authentication request, infer the tenant using geo-location, or by prompting the user to select their desired tenant.
Once the tenant is identified, assign the tenant identifier value to the user’s session using the api.session.setMetadata() and api.refreshToken.setMetadata() objects, and add it as a custom claim to the ID and access tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
tenant identifier Action example
post-login Action can access these custom claims, using the event.refresh_token.metadata object, and apply them to newly issued refresh tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
Manage transient data from upstream identity providers (IDPs)
Refresh token metadata and session metadata together let you manage transient and contextual data from upstream IDPs throughout a user’s session without storing it permanently in the user’s Auth0 profile. Using transient data, you can:- Maintain clean user profiles by preventing the storage of transient or session specific data
- Enhance flexibility by supporting diverse data requirements from various IDPs without forcing schema changes or data bloat in persistent user profiles
- Improve compliance by facilitating adherence to data privacy and retention policies by storing transient data only for its required lifetime
- Reduce development overhead by simplifying the process of handling transient IDP data, as Auth0 Actions and metadata manage the data lifecycle
event.request, event.user, and event.context objects.
Determine which data is transient or contextual data and assign it to the user’s session, using the api.session.setMetadata() and api.refreshToken.setMetadata() objects, add the transient data as a custom claim to the ID and access tokens using the api.idToken.setCustomClaim() and api.accessToken.setCustomClaim() objects.
transient data Action example
post-login Action trigger can access these custom claims, using the event.refresh_token.metadata object, and apply them to newly issued refresh tokens using the api.accessToken.setCustomClaim() object.
Enhance security and fraud detection
Refresh token metadata and session metadata together let you implement adaptive security by enabling the tracking and comparison of contextual information throughout a user’s session including refresh token rotations and silent authentication requests. By implementing adaptive security you can:- Create proactive threat detection by automatically identifying and responding to suspicious changes in user context data, reducing the risk of session hijacking and unauthorized access.
- Reduce friction for legitimate users by only prompts for MFA or additional verification when a genuine anomaly is detected, improving the user experience compared to blanket MFA requirements.
api.session.setMetadata() object.
security detection Action example
post-login Action trigger can apply risk assessment and adaptive responses.
Access Metadata with the Management API
You can use the Auth0 Management APIGET /api/v2/refresh-tokens/{id} and /api/v2/sessions/{id} endpoints to retrieve the stored data in either a refresh token or session’s metadata.
The response includes the metadata field containing the stored data:
Learn more
- Refresh tokens: Learn about Refresh tokens.
- Sessions: Learn about Sessions.
- Actions Event objects: Learn about the
post-loginevent object and properties. - Actions API object: Learn about the
post-loginAPI object and methods.