Hey @dan.woda - Thanks for digging into it. I’ve created a feature request at Allow object mapping/introspection in Enterprise OIDC custom claim mapping
For posterity, and anybody who finds themselves in a similar scenario, our workaround is to leverage context.tokenset.access_token mapping in the enterprise OIDC connection, and subsequently using the access_token now present on the id_token to make an explicit call to the external IDP’s userinfo to pull the information we need out of the object claim.
Separately, are there means or channels to propose update to the Auth0 docs? Your clarification around the necessity of leveraging an action to map the custom claims defined in the enterprise OIDC connection was instrumental in this all making sense, and I feel it would be a strong addition to the existing doc at Configure PKCE and Claim Mapping for OIDC Connections