It’s important to start by distinguishing between Authentication, Authorization, and Access Control. Your Auth0 tenant (the Authorization Server) is typically responsible for Authentication and some or all of Authorization. Access Control however must be the responsibility of the Application or API itself, because access control is almost always contextual:
- Authentication: the process of determining if the user is who they say they are.
- Authorization: the proceess of determining what the user is allowed to do in the system.
- Access Control: the process of limiting a user to only the actions permitted, based on a combination of who the user is, what they are allowed to do in the system, and their consent.
For application level Authorization - typically referred to as Access Control - custom claims can be added to an OpenID Connect (OIDC) ID Token via use of Auth0’s Rule extensibility mechanism, and you will need to decide what that information might be in order for your application to make access control decisions.
ID Token claims
Through the use of Rule extensibility, Auth0 allows you to easily add custom claims to an ID Token based on a user’s metadata. Though the process of adding custom claims via Rule is streamlined, because the rules engine is flexible and allows you to write custom code you can also do things that may have negative effects. So it’s important to follow our rules best practice guidance anytime you utilize this extensibility feature.
When you are considering adding custom claims, we recommend that you choose to store any data you may need to include within the claims in the user's
app Metadata. Doing so prevents you from needing to call out to an external API to fetch the data, which can negatively impact the performance and scalability of the login sequence. Remember to check out our metadata best practices too.
To help you with planning your implementation, we've put together some planning guidance that details our recommended strategies.