Add custom information in Access tokens

walter.adbe · December 5, 2022, 5:42pm

We are facing a specific scenario in the application where we have to add custom information to an access token. I have read the documents that i could find where we can add using Actions and Rules. I was able to add some basic information like email and user_id to the access tokens

For eg:

function addEmailToAccessToken(user, context, callback) {
// This rule adds the authenticated user’s email address to the access token.
var namespace = ‘http://example.com/’;
context.accessToken[namespace + ‘email’] = user.email;
context.accessToken[namespace + ‘id’] = user.identities[0].user_id;
return callback(null, user, context);
}

In Actions too i can do the same by adding an action to post login flow. The question i have is how to add custom information to access token.
Below is the use case scenario.

We have build a login using custom login with Resource owner password flow.
The front end calls the back-end and the back-end calls Auth0 (https://dev-xxxxxxxx.auth0.com/oauth/token) with email and password to get access toekns.
In Auth0 i have a custom database configured. Therefore all the information is stored in the custom database.
Note: To accommodate some custom information during registration of a user [
api/v2/users] i have used user_metadata to include information like city province …etc as part of the request.
I have enable password grant in Auth0 and i have also made sure that it is password grant by checking the token in https://jwt.io/
Next i have added a rule with “add email to access token default template”. I was also able to add user_id to the access token.

function addEmailToAccessToken(user, context, callback) {
var namespace = ‘https://example.com/’;
context.accessToken[namespace + ‘email’] = user.email;
context.accessToken[namespace + ‘id’] = user.identities[0].user_id;
return callback(null, user, context);
}
Blockquote

I printed the user object and i received the following information

{
_id: ‘ac48cb434c56779ef4509658e965a468’,
clientID: ‘xxxxxx’,
created_at: ‘2022-12-05T08:28:21.414Z’,
email: ‘abc@gmail.com’,
identities: [
{
user_id: ‘1’,
provider: ‘auth0’,
connection: ‘xxx’,
isSocial: false
}
],
name: ‘abc@gmail.com’,
nickname: ‘abc’,
picture: ‘https://s.gravatar.com/avatar/565320b54542ab6c0b9cd9aa84847103?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fwa.png’,
updated_at: ‘2022-12-05T17:26:37.179Z’,
user_id: ‘auth0|1’,
global_client_id: xxxxx,
persistent: {}
}

My question is how would i add some custom information to the above payload so that i can add it to the access token. In my case i would want to add role, organisation Id.
Note: Alternatively i can add the custom information as part of a cookie that i send to the front-end, but i would prefer to put it in access tokens.

Any help is appreciated or just point to a correct way of implementing it.

rueben.tiow · December 5, 2022, 6:04pm

Hi @walter.adbe,

Welcome to the Auth0 Community!

I understand that you would like to add custom data in Access Tokens.

The best way to do this is using Rules or Actions, as you have discovered.

To add the Roles and Organization ID, you must add the event.user.roles and event.organization.id properties in your Action script. See below:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
   api.accessToken.setCustomClaim(`${namespace}/roles`, event.organization.id);
  }
}

Lastly, please see the Actions Triggers: post-login - Event Object documentation for the complete list of properties you can call for the event object.

Can I help you with anything else?

Thanks,
Rueben

walter.adbe · December 5, 2022, 7:22pm

Hi Rueben,

I figured out in order to have org_id in organisation we have to authenticate users through an organisation. Work with Tokens and Organizations.

Questions:

I did not create an organisation through an Auth0 api. I used my backend to create it. Will i still be able to add organisation information in the event object.
If the above scenario cannot be achieved the documentation mentions

To authenticate a user through an organization, an organization parameter is added to a call to the /authorize endpoint.

I am not using /authorize end point. I am using (https://dev-xxxxxxxx.auth0.com/oauth/token) to get the tokens.

walter.adbe · December 5, 2022, 8:02pm

Finally figured it out. Since i am using custom database option in the login query of custom database

I have to add custom information to app_metadata or user_metadata (based on different use cases of the application).
And we can retrieve that information in actions through event.user.app_metadata or event.user.user_metadata and add it to build out tokens.
Question?
Is it safe to assume that since app_metadata reside inside auth0 and not exposed outside.

rueben.tiow · December 9, 2022, 11:03pm

Hi @walter.adbe,

Thank you for your responses.

Yes, and as you have discovered, will have to leverage the user’s app_metadata and user_metadata.

Yes, that is right. The user’s app metadata is not public information.

I hope this helps!

Please let me know if I can help you with anything else.

Thanks,
Rueben

system · December 23, 2022, 11:03pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.