Adding custom claim with request-specific value to M2M token

s.whitaker · July 13, 2020, 2:28pm

This works, but is it advisable?

I would like to be able to have a custom, request-specific value included in the token returned when I call POST /oauth/token with "grant_type": "client_credentials". I’ve got this working by adding a Client Credentials Exchange hook like this:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = {};
  access_token.scope = scope;

  // Propagate some value from request body to the access token
  const key = "https://mydomain.com/some-key";
  if (context.body[key]) {
    access_token[key] = context.body[key];
  }

  cb(null, access_token);
};

Then I can include a value in the payload for my request to /oauth/token:

curl --request POST \
  --url https://mytenant.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{
	"https://mydomain.com/some-key": "some-value", # here it is!
	"client_id": "...",
	"client_secret": "...",
	"audience": "...",
	"grant_type": "client_credentials"
}'

and it ends up as a custom claim under the same key in the access token.

According to the OAuth 2.0 spec, unrecognised request parameters will be ignored by the server, which suggests that adding custom properties to the payload this way ought to be benign. But is it? Can I rely on custom parameters in the OAuth Token payload being ignored, and always being accessible in my hook logic?

philip.r.thompson · January 19, 2021, 3:13am

I had this exact same question. Since you mentioned “unrecognised request parameters will be ignored by the server” I suspect this just means the server won’t do anything to them, including not explicitly remove them from the request. Since it works for you (and subsequently for me now), I think this is probably the case.

Thanks for pointing out how I may access request parameters in a hook sent to this endpoint!

felipeazv · July 21, 2021, 7:32pm

I am also trying to add custom values in a M2M token. Is it possible or not?

something like:

POST https://tenant.auth0.com/oauth/token
Content-Type: application/json

{
  "client_id": "clientid123",
  "client_secret": "clientsecre321,
  "audience": "audienceabc",
  "grant_type": "client_credentials",
  **"custom": "value"**
}

where “custom”: “value” is the custom field to be added to the token.

stewart.snow · July 22, 2021, 1:54pm

We’ve the exact same / desire / requirement. Although when trying it as per above doesn’t appear to work. The documentation suggests that the request data would be available at context.request.body - rather than context.body as per above. But neither works for us for some reason…

joao.trakx · April 9, 2024, 9:34am

We’re expecting the same behaviour from Auth0. Any news about this?

tyf · April 11, 2024, 1:59am

Hey there @joao.trakx (and others!) welcome to the community.

We’ve introduced an Action that should allow for this functionality:

See event.request: