/oauth/access_token custom claims

Help
, , , ,
1

My current flow is the following:

  • User open a native app, using the Facebook sdk retrieves a Facebook access_token, then I exchange that for an auth0 access token.

My understanding is that /oauth/access_token has been deprecated, but I cannot figure out how to replace it with one of the /oauth/token flows.

It seems to me that a OIDC compliant alternative is not ready, yet.

In the meantime I will be happy to continue using /oauth/access_token but I have two problems with it:

  • access_token is not a JWT when using /oauth/access_token
  • I can’t manage to add any custom claim to the id_token

Having to hit the /userinfo endpoint to retrieve the user information for each request, is not really an option as it would defeat the whole point of using JWT in the first place.

Is it possible that as today, there is no solution?

2

The current situation is the one you described /oauth/access_token is only available as a legacy endpoint and as such it does not have any support for API Authorization (what would allow you to get a JWT access token) and also has no notion of strict OIDC compliance so that may explain the inability to add custom namespaced claims to ID token.

At this time, using API Authorization with social authentication implies the use of browser-based authentication.

3

At this time, using API Authorization with social authentication implies the use of browser-based authentication.

Could you please elaborate?

What would the flow be like, in my app when an user press the login with Facebook button?

Open safari at this address: Facebook

Then what? I am not using the auth0 sdk

4

At this time, using API Authorization with social authentication implies the use of browser-based authentication.

Could you please elaborate?

What would the flow be like, in my app when an user press the login with Facebook button?

Open safari at this address: Facebook

Then what? I am not using the auth0 sdk

5

You would need to open the browser at the Auth0 authorize endpoint stating that you want to initiate authentication through Facebook. This would redirect to Facebook, the user would authenticate, Facebook would redirect to Auth0 and Auth0 would redirect to your application specified redirect URL. You would have to setup the native application as an handler for that final redirect URL, retrieve the necessary information from the URL and complete the authentication in your app (which would get you the tokens).

6

thanks, I have already figured it out

7

thanks, I have already figured it out