I would like to be able to have a custom, request-specific value included in the token returned when I call POST /oauth/token with "grant_type": "client_credentials". I’ve got this working by adding a Client Credentials Exchange hook like this:
module.exports = function(client, scope, audience, context, cb) {
var access_token = {};
access_token.scope = scope;
// Propagate some value from request body to the access token
const key = "https://mydomain.com/some-key";
if (context.body[key]) {
access_token[key] = context.body[key];
}
cb(null, access_token);
};
Then I can include a value in the payload for my request to /oauth/token:
curl --request POST \
--url https://mytenant.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{
"https://mydomain.com/some-key": "some-value", # here it is!
"client_id": "...",
"client_secret": "...",
"audience": "...",
"grant_type": "client_credentials"
}'
and it ends up as a custom claim under the same key in the access token.
According to the OAuth 2.0 spec, unrecognised request parameters will be ignored by the server, which suggests that adding custom properties to the payload this way ought to be benign. But is it? Can I rely on custom parameters in the OAuth Token payload being ignored, and always being accessible in my hook logic?
I had this exact same question. Since you mentioned “unrecognised request parameters will be ignored by the server” I suspect this just means the server won’t do anything to them, including not explicitly remove them from the request. Since it works for you (and subsequently for me now), I think this is probably the case.
Thanks for pointing out how I may access request parameters in a hook sent to this endpoint!
We’ve the exact same / desire / requirement. Although when trying it as per above doesn’t appear to work. The documentation suggests that the request data would be available at context.request.body - rather than context.body as per above. But neither works for us for some reason…
Thanks! The possibility of sending any extra property to the payload allows to send any custom data to the Auth0 actions where we can do our own validations and add the custom claims when needed.