We have a use case whereby we need to add custom fields in the response to a call to /oauth/token.
e.g.
{
"access_token": "<jwt-access-token>",
"id_token": "<jwt-id-token>",
"refresh_token": "<opaque-refresh-token>",
"customField": "<custom-value>"
}
Is there any way to do so using rules or hooks? If not, is this something auth0 are looking to add?
Hi s.skillman
What’s the use case?
I don’t think there is a way to do exactly what you are asking, but I am pretty sure there’s a better way to do this rather than customizing the result of the /oauth/token endpoint.
Post the details here and we can try to figure it out.
John
Hi John,
The use case is this flow: http://www.hl7.org/fhir/smart-app-launch/index.html#smart-authorization-sequence.
A work around is to include the “patient” context inside either the ID token and access token as a custom claim, however if the client doesn’t request openid scope they won’t receive the ID token and even though they could get it from the access token, this should be treated as opaque by the client (as I understand). In any case, this wouldn’t conform to the specification documented.
Severin
Hi @s.skillman
This looks like you want to add a patient ID number, right?
I think this belongs in the access token or the ID token, depending on the security context.
This doesn’t sound like a workaround to me, it sounds like the right way to do it.
You have to evaluate the security here: is patient PII? If so, can it be released to the client? It may belong in the access token if it is PII.
John
That’s right and yes I think the patient ID number should go in the access token so the consuming API knows and trusts the patient ID in context. However, to conform to that specification one would need to include the patient ID outside the token as well from what I can tell. Exposing the patient ID itself to the application is not an issue, in fact it’s desired. Anyway, the access token is a JWT so can be decoded by the application if it wishes.