Managing hooks and rules

I have set up a Single Page Client with implicit grant type, where I successfully have been able to add custom claims to the access token using Rules. In order to keep manageability and consistency I use the Management API with scripts, which I version control.

However, now I have a need for implementing some Non Interactive Clients as well, using the Client Credentials grant type. And these access tokens need (some of) the same custom claims as the ones already implemented.

Through testing, reading docs and the forums, this is my current understanding.

• It is not possible to alter the access token of a Non-Interactive client with Client Credentials grant using Rules. The only way to do this is using Hooks. Correct?

• And to follow-up, it seems that it’s not possible to alter the access token of a SPA client with Implicit grant type using Hooks, only Rules (unless a new User entry is created, which doesn’t fit my use case). Correct?

• Hooks are not supported in the management API, only in the Auth0 Web CLI. Correct?

Thus, my conclusion is that in order to accomplish what I want I have to implement the same logic twice, using both hooks and rules. And doing so using two different management constructions (the API for rules and the CLI for hooks).

Am I correct, or is it something I have overlooked?

Yes, on all of them. At this time, access tokens issued through end-user flows can be customized through rules while access tokens issued as part of client credentials will need to be customized through hooks.

The ability to manage hooks through the Management API is something that I’ve already seen discussed, but I can’t provide you definitive information if it’s something that will be made available for sure or any timeline. Hooks are webtasks associated with your Auth0 account so technically you could consider using the webtask API to create them, but it would still not be the same experience as the Management API.

+1 for management of Hooks via the Auth0 management API :-/

@s.opelt I posted that as an idea so feel free to vote for it as it allows us to have some insights about demand for a given feature.

When using grant_type client_credentials, it works;
With grant_type password it does not.

When using grant_type client_credentials, it works;
With grant_type password it does not.

Yo should elaborate on what works vs not works, but have in mind that as stated a client credentials hook can influence the access token issued as part of client credentials while rules can influence access tokens issued on end-user flows like a password grant type.