I am trying to include app_metadata in my access token using a Rule for my OIDC-compliant client. Whatever I try (including adding a test string to the access token), the access token returned by my app (Angular) when decoded using jwt.io (and also when examined at my REST backend) only contains the following:
My Rules looks like this and debugging it has confirmed that my console.logs are being hit:
function (user, context, callback) {
console.log('in Load User Metadata rule' + user);
var namespace = 'https://stratelogics.auth0.com/';
context.idToken[namespace + 'user_metadata'] = user.user_metadata;
console.log('added user_metadata to idToken');
console.log('adding test data to accessToken...');
context.accessToken[namespace + 'thisisatest'] = 'this_is_the_test_value';
console.log('added test data to accessToken.');
console.log('adding sms_userid from app_metadata to accessToken...');
context.accessToken[namespace + 'sms_userid'] = user.app_metadata.sms_userid;
console.log('added sms_userid from app_metadata to accessToken.');
callback(null, user, context);
}
I see that youāre using an auth0.com domain as the namespace for your custom claims. As stated in the documentation: auth0.com, webtask.io and webtask.run are Auth0 domains and therefore cannot be used as a namespace identifier.
Any non-Auth0 HTTP or HTTPS URL can be
used as a namespace identifier, and
any number of namespaces can be used.
Given your tenant name, you can use something like var namespace = 'https://stratelogics.com/'; as a valid namepace.
@ricardo.batista: I see that youāre using an auth0.com domain as the namespace for your custom claims. As stated in the documentation: auth0.com, webtask.io and webtask.run are Auth0 domains and therefore cannot be used as a namespace identifier.
Thank you. I changed my namespace to https://eplsms.stratelogics.com and, still, the data I am looking for is not included in the access token. Hereās the rule:
Did you ever find a solution to this? Iām experiencing the same issue with my app, even though I followed the guide (SPA + API) to the letter. Iāve been struggling with this for the last day with no idea how to proceed. Iām using the live logging with logging statements in my rules and see that the custom claim has been added to the context.accessToken, but when I inspect the token it is missing the claims.
Iām peforming a POST request to /oauth/token via Postman with the following params:
grant_type:client_credentials
client_id: {client_id}
client_secret: {client_secret}
audience: {api_audience} // get this on API > Settings > Identifier
Then I get the access_token and when I inspect using jwt.io I only see the following info:
I have exactly this issue, my namespace is good, the rule is almost identical to yours, but nothing gets added to the access token. Did you manage to find a solution to this?
Iām also having an issue as Iām not able to add the custom claims to the access token. It would be interesting to hear if anyone has a solution to adding rules with custom claims to the /token endpoint with an example. Iām facing the same problem.
Hey, setting either the scope or a set of custom claims does not work for access tokens. I think I tried every single approach including the two from the rules samples:
I tested it both through the ātry itā rule button, where the access token is augmented and when logging in and deciphering JWT.
@ricardo.batista could you take a look at it? Iām pinging you as youāre the Auth0 employee in this thread and maybe you have some way for testing it internally.
Recently we have some community developers reporting problems with running their rules. Iām not into the progress of things in that thread but you can find that one helpful:
Iām having the same problem with context.accessToken, though does work with context.idToken. But just to double-check (and to help anyone searching at home) you need to include your custom claim URLs in your scope. For instance, if your rule is:
For anyone else who ends up here - it appears that Rules are not run for Client Credentials Flow (used by M2M applications hitting the /oauth/token endpoint). According to an Auth0 support personnel:
Actually Client Credentials grant requests do not trigger Auth0 Rules pipeline because they are not considered user logins. They should be used only for Machine-to-Machine API calls.