This works, but is it advisable?
I would like to be able to have a custom, request-specific value included in the token returned when I call POST /oauth/token
with "grant_type": "client_credentials"
. I’ve got this working by adding a Client Credentials Exchange hook like this:
module.exports = function(client, scope, audience, context, cb) {
var access_token = {};
access_token.scope = scope;
// Propagate some value from request body to the access token
const key = "https://mydomain.com/some-key";
if (context.body[key]) {
access_token[key] = context.body[key];
}
cb(null, access_token);
};
Then I can include a value in the payload for my request to /oauth/token
:
curl --request POST \
--url https://mytenant.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{
"https://mydomain.com/some-key": "some-value", # here it is!
"client_id": "...",
"client_secret": "...",
"audience": "...",
"grant_type": "client_credentials"
}'
and it ends up as a custom claim under the same key in the access token.
According to the OAuth 2.0 spec, unrecognised request parameters will be ignored by the server, which suggests that adding custom properties to the payload this way ought to be benign. But is it? Can I rely on custom parameters in the OAuth Token payload being ignored, and always being accessible in my hook logic?