Access token contains custom claims using Rules, but not Actions

Hi there,

I’ve been trying to follow the Auth0 docs to get a custom claim added to an access token.

The following code inside an action doesn’t work:

  const namespace = 'http://bruce.nexbe/';

  // extract the bruce_role from app_metadata
  const bruce_role = event.user.app_metadata['bruce_role'] ?? '';
  api.idToken.setCustomClaim(`${namespace}/bruce_role`, bruce_role);

  const region = event.user.user_metadata['region'] ?? 'unknown region';
  api.idToken.setCustomClaim(`${namespace}/region`, region);  

  //console.log('adding region to access token');
  api.accessToken.setCustomClaim(`${namespace}/region`, region);

However, i’ve just tried using a Rule with the following code:

function addEmailToAccessToken(user, context, callback) {

  var namespace = 'http://bruce.nexbe/';
  const region = user.user_metadata.region || "unknown region";
  context.accessToken[namespace + 'region'] = region;
  return callback(null, user, context);

and the access token now contains the expected claim:

  "http://bruce.nexbe/region": "Canterbury",
  "iss": "",
  "sub": "auth0|603edec1b5929e006b5dc2ee",
  "aud": [
  "iat": 1655281919,
  "exp": 1655368319,
  "azp": "z0Qd2eu7yAn4O6b5DaQz5kOocNJBtuVr",
  "scope": "openid profile offline_access"

Anybody got any idea why? TIA

Hi there @kelly.cliffe1 welcome to the community!

Have you had any luck sorting this out? Are you using a Post Login Action or something else? Your code looks OK to me so but I’d need to test this myself.

Let us know either way!

Hi there,

I haven’t really looked for other solutions - it’s working as described above so we’ve moved onto other issues. To be honest I’m not sure how we’d diagnose the action any further. Yes, it’s a Post Login action.


Thanks for responding, and good to know it’s working in the context of a rule!

I suppose I’d need to see the structure of the app_metadata, but that being said it seems like there could be a compatibility issue regarding legacy (authorization extension/rules) vs current (authorization core/actions). You can read more about Authorization Core vs. Authorization extension as well as the best practice to add roles to tokens using an Action:

Hope this helps if you decide to go that route :smile:

1 Like


User_meta is pretty simple:

“region”: “…value…”

I read both linked articles - the Faq article is mainly relevant in that it shows setting of the access token value? Which i take it works theoretically - just not for us inside our action.

The Auth Core vs. Auth Extension - to be honest i’m not sure what the relevance is - is this an RBAC scenario?

I guess i’m still trying to understand why pretty much 1 line of code works in the rule, and not in the action - it feels like i’ve done something dumb, but i’m not sure what…

Thanks for replying by the way.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.