Auth0 actions: Unable to set custom claims on access token

Help
,
1

Hi there!
Currently in the process to migrate from Auth0 Rules to Auth0 Actions.
We are issuing the request using the @auth0/auth0-spa-js package (v1.22.6)

What is happening?

We are unable to set custom claims on access tokens.

What is the expected behaviour?

Given an audience passed to getTokenSilently (auth.getTokenSilently({ audience: ... })), that matches the namespace of the custom claim, the custom claim should be added to the access token.

What are the details of your current implementation?

Implementation:

exports.onExecutePostLogin = async (event, api) => {
  // Logging request for debug purposes
  const { ENVIRONMENT, DEBUG = "false" } = event.secrets;
  if (ENVIRONMENT == "development" || JSON.parse(DEBUG)) {
    console.log("request:", event.request);
  }

  try {
    const AUDIENCE = event.request.query?.audience ?? event.request.body?.audience
    // (some more code to validate the audience here)
    const webuser = fetchWebuser(event)
    api.accessToken[`${AUDIENCE}:webuser_id`] = webuser.webuser_id;
    api.accessToken[`${AUDIENCE}:tenant_id`] = webuser.tenant_id;
    api.accessToken[`${AUDIENCE}:role`] = webuser.auth_role_name;
    console.log("resulting access token:", JSON.stringify(api.accessToken));
  } catch (err) {
    api.access.deny(
      JSON.stringify({
        status: 500,
        code: "SERVER_ERROR",
        message: "Server Error",
      })
    );
  }
};

function fetchWebuser(event) {
  ...
}

Example request:

{
  ip: '<redacted>',
  asn: '5769',
  method: 'GET',
  query: {
    audience: 'https://server.goarthur.localhost',
    auth0Client: '<redacted>',
    client_id: '<redacted>',
    code_challenge: '<redacted>',
    code_challenge_method: 'S256',
    leeway: '300',
    nonce: '<redacted>',
    prompt: 'none',
    redirect_uri: 'http://app.goarthur.localhost:3000',
    response_mode: 'web_message',
    response_type: 'code',
    scope: 'openid profile email',
    state: '<redacted>'
  },
  body: {},
  geoip: {
    cityName: 'Montreal',
    continentCode: 'NA',
    countryCode3: 'CAN',
    countryCode: 'CA',
    countryName: 'Canada',
    latitude: '<redacted>',
    longitude: '<redacted>',
    subdivisionCode: 'QC',
    subdivisionName: 'Quebec',
    timeZone: 'America/Toronto'
  },
  hostname: 'goarthur-dev.auth0.com',
  language: undefined,
  user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0'
}

Example accessToken logged at the end of the action:

resulting access token: {"https://server.goarthur.localhost:webuser_id":"wbua20627f3390240348f76c76cc5c","https://server.goarthur.localhost:tenant_id":"cli2430af4ad1a74065b9282f9b1e5","https://server.goarthur.localhost:role":"wbua20627f3390240348f76c76cc5c_cli2430af4ad1a74065b9282f9b1e5"}

Received accessToken in the frontend SPA:

{
  aud: [ "https://server.goarthur.localhost" ]
  azp: "<redacted>"
  exp: 1729701108
  iat: 1729614708
  iss: "https://goarthur-dev.auth0.com/"
  scope: "openid profile email"
  sub: "auth0|<redacted>"
}

Previously when setting custom claims on access token, the equivalent code worked without issue (using context.accessToken[key] to set custom claims).

What have I missed?
Is there a breaking change between rules and actions that results in claims in the format {namespace}:{key} to be filtered from the result?

Thanks for your help,
Philippe