Problem statement
The customer has two different actions that call the following API for two different applications.
api.accessToken.setCustomClaim("email", "some@email.com")
One application works; however, the other fails to set the custom “email” claim. All the other custom claims set by the action are present in the resulting access token, except for the “email”.
Symptoms
The customer has two different actions that call api.accessToken.setCustomClaim("email", "some@email.com") for two different applications.
One works, while the other fails to set the custom “email” claim. All the other custom claims set by the action are present in the resulting access token, except for the “email”.
Steps to reproduce
-
Create an Action that calls
api.accessToken.setCustomClaim("email", "some@email.com") -
Try it from an application with ROPG.
Troubleshooting
- Try to change the custom claim to a different name like “userEmail”. This should work.
- Try to login to the application with an interactive flow. This should work.
Cause
The “email” custom claim is configurable only when using an interactive flow where the user is redirected to the Auth0 Universal Login for credentials.
When the application uses the password grant, general restrictions apply to “email” as a custom claim. Refer to the documentation on non-restricted claims.
Solution
As a workaround, we suggest using a namespaced custom claim for this and refactoring the application to parse the namespaced claim.
Refer to the documentation on Namespaced guidelines for additional details.