Adding user email to the ID Token using Actions?

matthias.lee · October 16, 2022, 4:43pm

I’m having a hard time adding user emails to the id-token.

Based on this thread and this thread it should be simple, but for me most fields seem to be undefined on the user object.

Currently i have this:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://<MY URL>';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/claims/email`, event.user.email);
    console.log(event.user);
  }
}

Monitoring->Logs confirms that the fields are undefined:

<snip> 
 email_verified: false,\n  email: undefined,\n  family_name: undefined,\n  given_name: undefined,\n  identities: [\n    {\n      connection: 'EXTERNAL-AD',\n      isSocial: false,\n      provider:",
<snip>

To note: these users are coming in through an Azure Active Directory, so I also checked user.upn as just in case the mapping to email wasnt working, but that was also undefined.

Any ideas how I could get at that email?

In related news, I had no problems attaching the roles in exactly the same manner as above.

matthias.lee · October 16, 2022, 5:24pm

I was able to find a workaround using “rules” by doing this:

context.idToken[namespace + 'email'] = user.upn;

it’s not great, but will do for the moment.

thameera · October 17, 2022, 5:12am

The ID token will get an email claim automatically if the following is true:

The user object has an email attribute
You request the email scope in the /authorize request

If either of these are false, you can still add it by using a rule or an Action. You should be able to do that without using a namespace - eg: context.idToken.email.

system · October 31, 2022, 5:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.