Adding roles to access_token via oauth/token endpoint

I have seen in other discussions, that rules are not executed when fetching tokens via the client_credentials flow. In our case, we use the Resource Owner Password Flow to retrieve tokens from the tenant. Can anyone give me some suggestions, how we can extend the token? Infos we would like to have in there would be roles or things like the user_metadata. In the documentation it says, that hooks can be used for this, but in the corresponding hook ( Client Credentials Exchange), I can’t see anything related to the user.

module.exports = function(client, scope, audience, context, cb)

Here I can modify the access_token, but where do I get the user-information? Is this even possible in auth0?

Hey @christian.b , Rules are executed in a ROPG flow, so you can extend the token in rules.
Have you tried that?


Hi @sidharth.chaudhary

Thanks for the input. In our case, we have rules in place which are working, because the token obtained using the authorization code flow (Auth0 Universal Login Page) shows the additional information which is put in by the rules. If I call the /oauth/token endpoint, all the information is missing, which leads me to believe those rules are not executed.

We follow the approach listed here for obtaining tokens via ROPG flow: Resource Owner Password Flow

Request in Postman:

Should I create a service ticket for this issue?

Hey @christian.b, Apologies was on leave last week, just checking in did you manage to resolve the issue?

Rules definitely run for ROPG also, is documented here:

There are few exceptional cases like the redirect case.

Can you dm me your tenant name to have a quick look as well.


1 Like

I’d like to revive this thread. I have sent a DM to Sid in August, haven’t heard anything since. Anyone else able to support with this issue?