Access token contains custom claims using Rules, but not Actions

Hi there,

I’ve been trying to follow the Auth0 docs to get a custom claim added to an access token.

The following code inside an action doesn’t work:

  const namespace = 'http://bruce.nexbe/';

  // extract the bruce_role from app_metadata
  const bruce_role = event.user.app_metadata['bruce_role'] ?? '';
  api.idToken.setCustomClaim(`${namespace}/bruce_role`, bruce_role);

  const region = event.user.user_metadata['region'] ?? 'unknown region';
  api.idToken.setCustomClaim(`${namespace}/region`, region);  

  //console.log('adding region to access token');
  api.accessToken.setCustomClaim(`${namespace}/region`, region);

However, i’ve just tried using a Rule with the following code:

function addEmailToAccessToken(user, context, callback) {

  var namespace = 'http://bruce.nexbe/';
  const region = user.user_metadata.region || "unknown region";
  context.accessToken[namespace + 'region'] = region;
  return callback(null, user, context);

and the access token now contains the expected claim:

  "http://bruce.nexbe/region": "Canterbury",
  "iss": "",
  "sub": "auth0|603edec1b5929e006b5dc2ee",
  "aud": [
  "iat": 1655281919,
  "exp": 1655368319,
  "azp": "z0Qd2eu7yAn4O6b5DaQz5kOocNJBtuVr",
  "scope": "openid profile offline_access"

Anybody got any idea why? TIA

Hi there @kelly.cliffe1 welcome to the community!

Have you had any luck sorting this out? Are you using a Post Login Action or something else? Your code looks OK to me so but I’d need to test this myself.

Let us know either way!

Hi there,

I haven’t really looked for other solutions - it’s working as described above so we’ve moved onto other issues. To be honest I’m not sure how we’d diagnose the action any further. Yes, it’s a Post Login action.


Thanks for responding, and good to know it’s working in the context of a rule!

I suppose I’d need to see the structure of the app_metadata, but that being said it seems like there could be a compatibility issue regarding legacy (authorization extension/rules) vs current (authorization core/actions). You can read more about Authorization Core vs. Authorization extension as well as the best practice to add roles to tokens using an Action:

Hope this helps if you decide to go that route :smile:

1 Like


User_meta is pretty simple:

“region”: “…value…”

I read both linked articles - the Faq article is mainly relevant in that it shows setting of the access token value? Which i take it works theoretically - just not for us inside our action.

The Auth Core vs. Auth Extension - to be honest i’m not sure what the relevance is - is this an RBAC scenario?

I guess i’m still trying to understand why pretty much 1 line of code works in the rule, and not in the action - it feels like i’ve done something dumb, but i’m not sure what…

Thanks for replying by the way.