OIDC-Conformant Adoption: Access Tokens
Because Applications and APIs (resources) are defined as separate Auth0 entities with the OIDC-conformant pipeline, you can get Access Tokens for your APIs. Consequently, all APIs should be secured with Access Tokens instead of ID Tokens. To learn more, see Access Tokens and ID Tokens.
The OIDC-conformant pipeline standardizes claims that can be added to ID and access tokens rather than allowing you to add arbitrary claims.
The OIDC specification defines a set of standard claims about users, such as profile and email, that can be returned in ID Tokens or in the response from
/userinfo. To learn more, see OpenID Connect Scopes and Claims.
With the OIDC-conformant pipeline, custom claims may still be added to ID tokens or access tokens, but they must conform to a namespaced format to avoid possible collisions with standard OIDC claims. To learn how to add a custom claim in the OIDC-conformant pipeline, see Sample Use Cases: Scopes and Claims.
Force the use of non-namespaced claims
To force the use of non-namespaced claims, you must:
use the non-OIDC-conformant pipeline
enable the Legacy User Profile toggle switch. To do this:
Navigate to Auth0 Dashboard > Tenant Settings > Advanced Settings, and locate the Migrations section.
Enable the Legacy User Profile toggle switch, and Save. This setting is only enabled for older tenants; newly-created tenants cannot see or enable it.
In the OIDC-conformant pipeline, applications can use scopes to request that:
Standard OIDC claims, such as
Permissions supported by the API they want to access be included in the access token. For example, you can define your custom API's audience and required scopes, which will allow you to segregate access to different operations within your API.