Auth0 Home Blog Docs

custom claims not added to access_token despite Rule

rules
access_token
custom-claims

#1

I am trying to include app_metadata in my access token using a Rule for my OIDC-compliant client. Whatever I try (including adding a test string to the access token), the access token returned by my app (Angular) when decoded using jwt.io (and also when examined at my REST backend) only contains the following:

{
  "iss": "https://xxxxxxxxxxxx.auth0.com/",
  "sub": "auth0|xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "aud": 
    "https://xxxxxxxxxxxx.xxxxxxxxxxxx.com",
    "https://xxxxxxxxxxxx.auth0.com/userinfo"
  ],
  "iat": 1518267898,
  "exp": 1518354298,
  "azp": "KQi1KzWkL4BjTL8Ql3aFhVc8TcV2S-Xj",
  "scope": "openid profile email"
}

My Rules looks like this and debugging it has confirmed that my console.logs are being hit:

function (user, context, callback) {
  console.log('in Load User Metadata rule' + user);  
  var namespace = 'https://stratelogics.auth0.com/';
  context.idToken[namespace + 'user_metadata'] = user.user_metadata;
    console.log('added user_metadata to idToken'); 
  console.log('adding test data to accessToken...'); 
  context.accessToken[namespace + 'thisisatest'] = 'this_is_the_test_value';                    
  console.log('added test data to accessToken.'); 
  console.log('adding sms_userid from app_metadata to accessToken...');
  context.accessToken[namespace + 'sms_userid'] = user.app_metadata.sms_userid;
  console.log('added sms_userid from app_metadata to accessToken.');
   callback(null, user, context);
}

#2

I see that you’re using an auth0.com domain as the namespace for your custom claims. As stated in the documentation: auth0.com, webtask.io and webtask.run are Auth0 domains and therefore cannot be used as a namespace identifier.

Any non-Auth0 HTTP or HTTPS URL can be
used as a namespace identifier, and
any number of namespaces can be used.
Given your tenant name, you can use something like var namespace = 'https://stratelogics.com/'; as a valid namepace.


#3

@ricardo.batista: I see that you’re using an auth0.com domain as the namespace for your custom claims. As stated in the documentation: auth0.com, webtask.io and webtask.run are Auth0 domains and therefore cannot be used as a namespace identifier.
Thank you. I changed my namespace to https://eplsms.stratelogics.com and, still, the data I am looking for is not included in the access token. Here’s the rule:

function (user, context, callback) {
var namespace = ‘https://eplsms.stratelogics.com/’;
context.idToken[namespace + ‘user_metadata’] = user.user_metadata;
context.accessToken[namespace + ‘sms_userid’] = user.app_metadata.sms_userid;
//context.accessToken[namespace + ‘app_metadata’] = user.app_metadata;
//context.accessToken[namespace + ‘user_metadata’] = user.user_metadata;
callback(null, user, context);
}

But the access token payload looks exactly as before.


#4

Did you ever find a solution to this? I’m experiencing the same issue with my app, even though I followed the guide (SPA + API) to the letter. I’ve been struggling with this for the last day with no idea how to proceed. I’m using the live logging with logging statements in my rules and see that the custom claim has been added to the context.accessToken, but when I inspect the token it is missing the claims.