Help get this topic noticed by sharing it on Twitter, Facebook, or email.

Custom claim naming

I have a question about the format of custom claims that are returned as part of the id token and in response to /userinfo.

I'd like any advice/best practice/lessons learned on

1. Should claims contain nested JSON documents or should each claim contain one value e.g.

"custom" : { "first":"valuefirst", "second": { "third":"thirdvalue"} }

"custom:first" : "firstvalue",
"custom:second:third" : "thirdvalue"

2. The spec refers to claim names being collision-resistant as per JWT spec, and all the examples of custom claims use a URI as the claim name to achieve this. Do people genuinely use URLs? Does it cause problems for the consumers of the claims?

Many thanks in advance
1 person has
this question