Configure Custom OpenID Connect Claims via Claims Parameter Using Management API

ConnectionsAPI
Nov 24, 2025
Overview

This article explains how to configure an OpenID Connect (OIDC) Enterprise Connection to request specific claims from an Identity Provider (IdP). This configuration addresses scenarios where the IdP does not support standard profile and email scopes and instead requires the OIDC claims parameter in the authorization request. This process uses the static parameters method, which requires using the Auth0 Management API.

Applies To

  • Auth0 Management API

  • OpenID Connect Enterprise Connection

Solution

  1. Go to the Auth0 Dashboard.

  2. Select Authentication > Enterprise.

  3. Select the OpenID Connect connection.

  4. Locate the connection Identifier.

  5. Construct the JavaScript Object Notation (JSON) object for the required claims. For example, to request given_name, family_name, and email as essential claims in the ID token, use the following object:

    JSON
     
    {
  "id_token": {
    "given_name": { "essential": true },
    "family_name": { "essential": true },
    "email": { "essential": true }
  }
}

  6. URL-encode the JSON string to pass it correctly as a query parameter value.

    Plaintext
     
    %7B%22id_token%22%3A%7B%22given_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22family_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%7D%7D

  7. Send a PATCH request to the /api/v2/connections/<connection_id> endpoint using the connection ID obtained in Step 4.

  8. Add the upstream_params object to the options object in the request body. NOTE: The upstream_params object must be merged into the existing options to prevent overwriting settings such as issuer or client_id. Perform a GET call to retrieve existing options before updating.

    JSON
     
    {
  "options": {
    "upstream_params": {
      "claims": {
        "value": "%7B%22id_token%22%3A%7B%22given_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22family_name%22%3A%7B%22essential%22%3Atrue%7D%2C%22email%22%3A%7B%22essential%22%3Atrue%7D%7D%7D"
      }
    }
    // Include other existing options here
  }
}

    This configuration ensures that every authorization request Auth0 initiates for this connection includes the &claims= parameter with the specified URL-encoded value.

    For official documentation on passing parameters to Identity Providers, please refer to Pass Parameters to Identity Providers.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community