Hi there!
Currently in the process to migrate from Auth0 Rules to Auth0 Actions.
We are issuing the request using the @auth0/auth0-spa-js package (v1.22.6)
What is happening?
We are unable to set custom claims on access tokens.
What is the expected behaviour?
Given an audience passed to getTokenSilently (auth.getTokenSilently({ audience: ... })
), that matches the namespace of the custom claim, the custom claim should be added to the access token.
What are the details of your current implementation?
Implementation:
exports.onExecutePostLogin = async (event, api) => {
// Logging request for debug purposes
const { ENVIRONMENT, DEBUG = "false" } = event.secrets;
if (ENVIRONMENT == "development" || JSON.parse(DEBUG)) {
console.log("request:", event.request);
}
try {
const AUDIENCE = event.request.query?.audience ?? event.request.body?.audience
// (some more code to validate the audience here)
const webuser = fetchWebuser(event)
api.accessToken[`${AUDIENCE}:webuser_id`] = webuser.webuser_id;
api.accessToken[`${AUDIENCE}:tenant_id`] = webuser.tenant_id;
api.accessToken[`${AUDIENCE}:role`] = webuser.auth_role_name;
console.log("resulting access token:", JSON.stringify(api.accessToken));
} catch (err) {
api.access.deny(
JSON.stringify({
status: 500,
code: "SERVER_ERROR",
message: "Server Error",
})
);
}
};
function fetchWebuser(event) {
...
}
Example request:
{
ip: '<redacted>',
asn: '5769',
method: 'GET',
query: {
audience: 'https://server.goarthur.localhost',
auth0Client: '<redacted>',
client_id: '<redacted>',
code_challenge: '<redacted>',
code_challenge_method: 'S256',
leeway: '300',
nonce: '<redacted>',
prompt: 'none',
redirect_uri: 'http://app.goarthur.localhost:3000',
response_mode: 'web_message',
response_type: 'code',
scope: 'openid profile email',
state: '<redacted>'
},
body: {},
geoip: {
cityName: 'Montreal',
continentCode: 'NA',
countryCode3: 'CAN',
countryCode: 'CA',
countryName: 'Canada',
latitude: '<redacted>',
longitude: '<redacted>',
subdivisionCode: 'QC',
subdivisionName: 'Quebec',
timeZone: 'America/Toronto'
},
hostname: 'goarthur-dev.auth0.com',
language: undefined,
user_agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0'
}
Example accessToken logged at the end of the action:
resulting access token: {"https://server.goarthur.localhost:webuser_id":"wbua20627f3390240348f76c76cc5c","https://server.goarthur.localhost:tenant_id":"cli2430af4ad1a74065b9282f9b1e5","https://server.goarthur.localhost:role":"wbua20627f3390240348f76c76cc5c_cli2430af4ad1a74065b9282f9b1e5"}
Received accessToken in the frontend SPA:
{
aud: [ "https://server.goarthur.localhost" ]
azp: "<redacted>"
exp: 1729701108
iat: 1729614708
iss: "https://goarthur-dev.auth0.com/"
scope: "openid profile email"
sub: "auth0|<redacted>"
}
Previously when setting custom claims on access token, the equivalent code worked without issue (using context.accessToken[key]
to set custom claims).
What have I missed?
Is there a breaking change between rules and actions that results in claims in the format {namespace}:{key}
to be filtered from the result?
Thanks for your help,
Philippe