Action Flow AccessToken empty on onExecutePostLogin

Hi,

I have 4 action on my login flow. The first action has no issue accessing access api.accessToken but my last action, all api values are empty. Why?

exports.onExecutePostLogin = async (event, api) => {

  const axios = require("axios").default;
  
  const accessToken = api.accessToken;
  const user = {
    email: event.user.email,
    auth0Id: event.user.user_id
  }  

Event object is fine.

Cheers
Olaf

1 Like

Hi @nolafs,

Thanks for reaching out to the Auth0 Community!

Could you please use the Actions debugger interface to test your last Action script to see if there are any errors or unexpected results?

If not, could you please share your last Action script and clarify if you are trying to set a custom claim to the access token?

The current script you shared has variables assigned but unused.

I look forward to your update.

Thanks,
Rueben

Hi Rueben,

Sure, the access token is empty. Here are my test results:

thanks

Hi @nolafs,

Thanks for the update and clarification.

The result you observed is expected. The correct usage for the api.accessToken is to set a custom claim like the following syntax:

api.accessToken.setCustomClaim(name, value)

(Reference: Actions Triggers: post-login - API Object)

I would also like to add that the API Object provides methods for changing the behavior of the flow and cannot be used to read data. This means that you won’t be able to get the data from the access token until you have completed the login flow.


(Reference: Login Flow)

Please let me know if you have any questions.

Thanks,
Rueben

Ok, I understand but I do need to be able to call my api during the flow, how do I protect those endpoints?

How do i protect my api then?

Hi @nolafs,

Thanks for following up.

You can protect your endpoints with Scopes (permissions).

It would look something like the following:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope=email%20profile%20openid%20read:reports%20update:reports&
    audience={yourAPIAudience}&
    state={state}

(Reference: Call Your API Using the Authorization Code Flow)

So say, for example, if a user does not have permissions granted to them, that are required for accessing your app or some protected resource, then they will be prevented from logging in.

Here are some helpful resources:

Please let me know how this goes for you.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.