Action Flow AccessToken empty on onExecutePostLogin

nolafs · June 16, 2023, 11:58am

Hi,

I have 4 action on my login flow. The first action has no issue accessing access api.accessToken but my last action, all api values are empty. Why?

exports.onExecutePostLogin = async (event, api) => {

  const axios = require("axios").default;
  
  const accessToken = api.accessToken;
  const user = {
    email: event.user.email,
    auth0Id: event.user.user_id
  }

Event object is fine.

Cheers
Olaf

rueben.tiow · June 16, 2023, 6:42pm

Hi @nolafs,

Thanks for reaching out to the Auth0 Community!

Could you please use the Actions debugger interface to test your last Action script to see if there are any errors or unexpected results?

If not, could you please share your last Action script and clarify if you are trying to set a custom claim to the access token?

The current script you shared has variables assigned but unused.

I look forward to your update.

Thanks,
Rueben

nolafs · June 19, 2023, 7:30am

Hi Rueben,

Sure, the access token is empty. Here are my test results:

thanks

rueben.tiow · June 23, 2023, 5:45pm

Hi @nolafs,

Thanks for the update and clarification.

The result you observed is expected. The correct usage for the api.accessToken is to set a custom claim like the following syntax:

api.accessToken.setCustomClaim(name, value)

(Reference: Actions Triggers: post-login - API Object)

I would also like to add that the API Object provides methods for changing the behavior of the flow and cannot be used to read data. This means that you won’t be able to get the data from the access token until you have completed the login flow.

(Reference: Login Flow)

Please let me know if you have any questions.

Thanks,
Rueben

nolafs · June 26, 2023, 7:05am

Ok, I understand but I do need to be able to call my api during the flow, how do I protect those endpoints?

nolafs · June 26, 2023, 5:12pm

How do i protect my api then?

rueben.tiow · June 27, 2023, 6:46pm

Hi @nolafs,

Thanks for following up.

You can protect your endpoints with Scopes (permissions).

It would look something like the following:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope=email%20profile%20openid%20read:reports%20update:reports&
    audience={yourAPIAudience}&
    state={state}

(Reference: Call Your API Using the Authorization Code Flow)

So say, for example, if a user does not have permissions granted to them, that are required for accessing your app or some protected resource, then they will be prevented from logging in.

Here are some helpful resources:

Please let me know how this goes for you.

Thanks,
Rueben

system · July 11, 2023, 6:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.