Change Sub Field in AccessToken

Right now I am trying to change the ‘sub’ field of my access token to the user’s email to match the pattern required by an API used in my app. Right now the code looks like

function (user, context, callback) {
  context.accessToken.sub = user.email;
  callback(null, user, context);
}

but when I examine the JWT, the sub field remains unchanged. What am I doing wrong?

Hi @thlummail

Perhaps the access_tokens are not something to be parsed or modified by the client application, so if you want to have access to the email address in a browser-based application you should request that the email be included as part of the issued ID token (you can do that by making an OIDC request with scope containing openid and email.

Moreover, the “sub” claim refers to the id of the user to whom the token was granted.
It would be better to configure your API to depend on the audience claim for granting access.