Adding custom payload data during M2M authentication(Client credentials flow)

kamal.pradhan · March 24, 2021, 3:11pm

Hi,
We are trying to pass some data in the form body when calling the “/oauth/token” endpoint during the m2m authentication using client client credential flow.

payload

custom data added : .xyz Domain Names | Join Generation XYZ

grant_type=client_credentials
client_id=xx
client_secret=xxx
audience=xxx
http://xyz.com/temp=User_3123  (Custom data in payload)

Now, when making the call we have a hook that is currently able to find the custom payload data and performs some operation. Below is the Auth0 hook where we access the key and add it to the token.

Auth0 hook

module.exports = function(client, scope, audience, context, cb) {
  var access_token = {};
  access_token.scope = scope;  
// Operation after retrieving custom payload
 const key = "http://xyz.com/temp";
  if (context.body[key]) {
    access_token[key] = context.body[key];
  }
  else{
    access_token[key] = {}
  }
  cb(null, access_token);
};

This approach works but when I try to use a normal string as custom payload instead of using a URL. I cannot access the custom data in Auth0 hooks anymore.
ex:
custom data added : a_general_key=User_3123

grant_type=client_credentials
client_id=xx
client_secret=xxx
audience=xxx
a_general_key=User_3123  (Custom data in payload)

Now the documentations are not very clear regarding this but it would be nice we could get a clear why this works in some cases and not in others.

Here are the doubts/questions we have:

Why custom data can be added and seen inside auth0 hook when the key is in URL form instead of a string?
.xyz Domain Names | Join Generation XYZ vs a_general_key=User_3123
Is there a way we can send some custom data while doing m2m auth using client credentials flow and access it through Auth0 hook?
like a additional parameter, header or key in form body.

Thank you

dan.woda · March 25, 2021, 4:04pm

Hi @kamal.pradhan,

Welcome to the Community!

You should be able to send data to your hook, whether it is a valid URL or string. Either should work. I just tested it and I can see a string in the Hook’s logs using this method:

Here is the request I am making:

curl --request POST \
       --url https://xxxx.auth0.com/oauth/token \
       --header 'content-type: application/json' \
       --data '{"client_id":"xxxx","client_secret":"xxxx","audience":"xxxx","grant_type":"client_credentials","foo":"bar"}'

Here is the Hook:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = {};
  access_token.scope = scope;
  console.log(context.body.foo);
  cb(null, access_token);
};

Result:

9:03:10 AM: new webtask request
9:03:10 AM: bar

I think the problem may be that you are trying to add an improperly namespaced claim to the token. The custom claim must conform to the namespacing guidelines, which require a valid URL as it is collision-resistant.

kamal.pradhan · March 25, 2021, 4:12pm

@dan.woda Many thanks for the response, It works now. Is it a valid case to send such custom payloads in when making a request to /oauth/token ? I didn’t found it anywhere in Auth0 documentation. So I just want to confirm if this a standard practice and documented somewhere. Thanks.

dan.woda · March 25, 2021, 10:47pm

I don’t see an issue with it, it sounds like you are simply trying to attach a param/payload to a token, which isn’t an issue inherently.

system · April 9, 2021, 10:48pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.