app metadata is not included in the token when using /oauth/token endpoint with client_credentials grant type

cjain · June 29, 2017, 1:04am

I’m trying to generate a token on the server to communicate with our api. We were using /oauth/ro endpoint like this.

response = requests.post(
            urllib.parse.urljoin(self.origin, '/oauth/ro'),
            json={
                'client_id': self.client_id,
                'id_token': self.request_token,
                'connection': self.connection,
                'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
                'scope': 'openid app_metadata',
                'device': 'service',
            },
        )

I’m trying to move this to /oauth/token endpoint but seems like the access_token i get does not include app_metadata.

response = requests.post(
            urllib.parse.urljoin(self.origin, '/oauth/token'),
            json={
                'client_id': self.client_id,
                'client_secret': self.client_secret,
                'grant_type': 'client_credentials',
                'scope': 'read:users_app_metadata',
                'audience': 'audience',
            },
        )

I enabled non-interactive client for auth0 management api with read:users_app_metadata scope. What am i missing?

prashantT · June 29, 2017, 7:51am

The Client Credentials grant flow is an OIDC conformant flow - app_metadata is not part of the OIDC conformant claims. In order to include these in the token, you will need to add the via a Rule, as a namespaced claim. Take a look at the following doc which outlines this:

cjain · June 29, 2017, 10:24pm

Thanks @prashant for the info. I will follow that guide for custom claims. One more thing, i noticed is that access_token is not a jwt when the audience is not set. We didn’t have any audience when calling oauth/ro.

Note: we have a microservice achitecture and this is making internal api calls between those services.