I am using auth0 as OIDC provider for single-sign-on.
So far I tried login with two application types, on the one hand the native application type and on the other hand the machine-to-machine application type.
However, when I login, I only receive a very simple id_token
with the following payload:
{
"https://example.com/roles": [
"user"
],
"iss": "https://my.idp.provider.com",
"sub": "oauth2|someconnection|samlp|somecompany|someusername",
"aud": "REMOVED",
"iat": 1547652649,
"exp": 1547688649
}
I want to add a group
claim to this token. How can I configure my Auth0 tenant to add "group": "admin"
as claims? Do I need to enable a particular scope in my authentication client to receive the groups
claim?
I have installed and configured the Authorization Extension in auth0 but that did not have any effect on the claims in my token. I know that the Authorization Extension does not support machine-to-machine applications. Therefore, I added the native application and tried to login with that, but that also did not return any additional claims.
After configuring the Authorization extension, you can add custom claims to the issued JWT tokens from Rules. There's a sample rule here that does the job: https://auth0.com/docs/extensions/authorization-extension/v2/rules#add-custom-claims-to-the-issued-token
You can customize the Client Credentials token as well using the Hook: https://auth0.com/docs/api-auth/tutorials/client-credentials/customize-with-hooks
EDIT: OIDC Comformant Apps require you to define the namespace because Authorization data such as roles and groups are not OIDC claims.