Can I get device id (android device id for example) at login in a rule ? How?

Can I get device id (android device id for example) at login in a rule ? How ?

I’d need this to persist it in my application layer session management.

Do you have that id stored in your profile already?

The device id isn’t transferred automatically, but you can pass it along in the authorization request.
I guess you’re using a regular OAuth2 redirect flow, or the standard way we recommend via AndroidSDK?

If you look for extraParams in this forum, you find a way, though this extraParams isn’t part of the OAuth2 specs.

While it (still) works, I would rather recommend this:

Pass an upstream_params parameter in the authorization request. I don’t know the details of the Android SDK so I show you the way in our JS SDK, but it’s the same approach in Android then accordingly.


In the Rule, you can then get it via:


Hi, no I don’t. It should come on the login process somehow.

This is actually the kind of thing I’m looking for. I would just need to validate if this can be done from the Android SDK.

Thanks !!

I haven’t used the Android SDK myself, but maybe it’s this one (not tested)?

If you find out, please post it here.

Stumbled upon this whilst trying to figure out how to use a rule to map the current device_id into the access_token / custom claims. Docs don’t specify that it is part of context but likely should be?

I don’t think the suggested solution is acceptable / should be recommended, as you are effectively trusting a value a client passes in as the correct value, in the listed example I could pass in any value as a parameter, spoofing someone elses android id and potentially receive their notifications or similar.

Our use-case is as a way of uniquely identifying devices (which are effectively refresh tokens it seems?) so we can associate refresh tokens with ios push tokens in our backend. We want to show the user a device management UI to ‘remove device’ which will call Auth0 Device Credential API amongst other things. But we really want to use the auth0 device_id in the access_token custom claims as a way of identifying the device and associating push tokens. Surprising its not available.

1 Like