/userinfo endpoint. To learn more about the types of claims, read JSON Web Token Claims.
Example
Previously, Auth0 allowed only namespaced claims on access and ID tokens. With the migration to custom claims, non-namespaced claims can be used on , ID tokens, and the/userinfo endpoint of Auth0’s Authentication API.
Affected flows
All Connect (OIDC) flows that Auth0 supports are affected by this migration. To review the list of flows, read Authentication and Authorization Flows. The following features are also affected: The following features are affected only when used along with Auth0 Rules and attribute mapping:Restrictions
Maximum token size
Auth0 will restrict the custom claims payload to a maximum of 100KB. It is important to make sure the payload does not exceed this limit, otherwise the authentication transaction will fail with an error. We recommend you review your use of extensibility code (i.e. Rules, Hooks, or Actions). In particular, review large payloads from external APIs. To avoid errors, Auth0 recommends using the smallest token payload necessary for your application to operate. You may need to strip any properties that are not crucial before you set the custom claim value.This restriction is applied to the total payload size of all your custom claims. This includes the custom claims names as well as the associated values, whether they are public namespaced or private non namespaced.
Examples
Restricted claims
Auth0 will restrict the customization of claims used in the OIDC or OAuth2 standards or claims for internal use. Any attempt to modify one of these claims will be ignored. The transaction won’t fail, but the claim will not be added to tokens. Auth0 recommends using a public, namespaced claim.acractactiveamrat_hashathattestaudauth_timeauthorization_detailsazpc_hashclient_idcnfctydestentitlementseventsexpgroupsgtyhtmhtuiatinternalServiceissjcardjkujtijwejwkkidmay_actmkynbfnonceobject_idorg_idorg_nameorigorigidpermissionsrolesrphs_hashsidsip_callidsip_cseq_numsip_datesip_from_tagsip_via_branchsubsub_jwktoetxntypuuidvotvtmx5t#S256
Example
Restricted token audience
Auth0 will restrict the creation of private, non-namespaced custom claims on access tokens in which the is an Auth0 API. Any attempt to set a private, non-namespaced custom claim on an access token where the audience is an Auth0 API will be ignored. The transaction will not fail, but the claim will not be added to your token. Auth0 recommends not setting custom claims on tokens that are to be consumed by Auth0’s APIs.- ID tokens are not concerned by this restriction.
- Public namespaced custom claims are not concerned by this restriction.
https://YOUR_TENANT.auth0.com/apiorhttps://YOUR_TENANT.auth0app.com/apihttps://YOUR_TENANT.auth0.com/api/v2orhttps://YOUR_TENANT.auth0app.com/api/v2https://YOUR_TENANT.auth0.com/mfaorhttps://YOUR_TENANT.auth0app.com/mfa
/userinfo audience. Private, non-namespaced custom claims are allowed on the following audience:
https://YOUR_TENANT.auth0.com/userinfohttps://YOUR_TENANT.auth0app.com/userinfo
Examples
Restriction on Auth0 and Webtask namespaces
Auth0 will restrict the creation of namespaced custom claims with an Auth0 domain as namespace identifier. Auth0 domains are:- auth0.com
- webtask.io
- webtask.run
Before this migration, setting a namespaced custom claim with an Auth0 domain identifier would result in the claim showing up in the
/userinfo response. This behavior disappears after the migration and such custom claims are completely ignored.OIDC user profile claims
Auth0 will now allow OIDC user profile claims to be added to access tokens. Attempts to add OIDC user profile claims to the access token were silently ignored prior to this migration. With the updated behavior, access tokens will contain these OIDC user profile claims.If you add OIDC user profile claims to access tokens, the same scope restrictions apply as are applicable to ID tokens. For example, to add
email claim to access tokens, the flow must be triggered with a scope that contains email.addressbirthdateemailemail_verifiedfamily_namegendergiven_namelocalemiddle_namenamenicknamephone_numberphone_number_verifiedpicturepreferred_usernameprofileupdated_atwebsitezoneinfo
Example
SAML2 add-on and Web Service Federation Protocol (WS-Fed) attribute mapping with Auth0 Rules
Similar to using Auth0 Rules to make changes to the user object,app_metadata or user_metadata pre-migration claims also merge contents when the claim is set on the context.idToken object and the names conflict. To learn more about the object properties, read User Object Properties In Rules.
Using custom claims, however, Auth0 gives precedence to the claim that was set on the context.idToken object.
This change impacts Auth0 Rules that set app_metadata and user_metadata via context.id_token (assigning objects to them) and, at the same time, uses these fields in attribute mapping for add-on or Protocol (WS-Fed).
Example 1: Auth0 ignores attribute mapping when context.idToken.app_metadata is set with an empty object.
app_metadata in context.id_token takes precedence.
Add private, non-namespace claims to tokens
Custom claims behavior will not change for members of the custom claims beta program. This feature is already enabled.
Example
Private, non-namespace claims to /userinfo
Auth0 now returns private, non-namespaced custom claims in the /userinfo response when set on ID tokens.Example
Actions
Review tenant logs
First, check your tenant logs for deprecation notices to determine whether your tenant is affected by the migration.- Navigate to Auth0 Dashboard > Monitoring > Logs.
- Search the logs for
type: depnote AND description: *Custom*claims*.
Example
Provided below is an example deprecation log that is generated whenever extensibility code triggers.Fix Auth0 rules for SAML2 add-on and Web Service Federation Protocol (Ws-Fed)
If you setapp_metadata or user_metadata claims on the context.idToken object using SAML2 add-on or Web Service Federation Protocol (Ws-Fed) with Auth0 Rules along with attribute mapping, you will need to update your configuration to adjust for how Auth0 evaluates conflicting claim names between these objects. There are several possible fixes:
-
Make sure that the code of your Auth0 Rule always gives precedence to the content of objects set on
context.id_token: -
If you are using SAML2 add-on or Web Service Federation Protocol (Ws-Fed) attribute mapping, Avoid setting
app_metadataoruser_metadataclaims on thecontext.idTokenobject. Replace these claims with name-spaced claims when possible: -
Use a condition on the current protocol or on the current client to exclude statements setting
app_metadataoruser_metadatawhen the protocol issamlporwsfed.
Disable legacy behavior
Before you disable legacy behavior, we recommend you review the list of changes and verify your applications and integrations are compatible.
- Navigate to Auth0 Dashboard > Tenant Settings > Advanced and search for Migrations.
- Use the toggle to disable Custom claims must be namespaced.