Getting client metadata in non-interactive clients access tokens

I’m evaluating the feature of using non interactive client for future integrations.
In my understanding the protected server (APIs in my case) will only let pass the HTTP requests that have a JWT bearer token in Authorization header (I’m pretty new to Auth0 and authorization and authentication in general so I apologize in advance if I won’t use right terminology)

I’ve used Spring security example found here.

It works for me (I mean only the valid JWT token passes the Spring Security and I’m able to access the HTTP controller on server)

But now I would like to set some additional information on non-interactive client in a key value form and access it on server. So I did it for my client in section “Advanced settings” → “Application Metadata”.

As the aforementioned tutorial suggests, I’ve asked for the token to be sent with
“Authorization Bearer” as follows:

curl --request POST   --url https://MY_COMPANY_NAME.auth0.com/oauth/token   
 -- header 'content-type: application/json'   --data '{"client_id":
  "CLIENT_ID","client_secret": "CLIENT_SECRET",
  "audience":"https://MY_COMPANY_NAME.auth0.com/",
  "grant_type":"client_credentials"}'

As a result I’m getting a JWT token that looks like this:

 {
    "access_token":"TOKEN",
    "expires_in":86400,
     "scope":"openid create:textAnalysis",
     "token_type":"Bearer"
  }

Its header is:

   {
     "typ": "JWT",
     "alg": "RS256",
     "kid": "SOME_VALUE"
   }

Its payload looks like this:

{
 "iss": "https://MY_COMPANY.auth0.com/",
 "sub": "SUBJECT@clients",
 "aud": "https://MY_COMPANY_NAME.auth0.com/",
 "exp": 1498193789,
 "iat": 1498107389,
 "scope": "openid create:textAnalysis"
}

But when I check it in JWT.IO I don’t see any information about custom metadata I’ve sent.
I’ve tried another way - to query Auth0 on server: to call GET request /userinfo with this JWT token but i also doesn’t work (I’m getting an unauthorized 401 response).

So my question what should I do to get this metadata?

Is it possible to do that in both ways I’ve described or maybe there is any other way to get this working?

1 Like

You should be able to accomplish your requirements by implementing a client credentials hook that will let you add additional custom claims into the issued access tokens. The hook logic would have access to the client metadata data and as such you could add the claims you are interested to received in the API. Have in mind that custom claims added need to use a namespace so there’s no risk that they clash with standard ones.

A sample implementation for the hook could be the following:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = { scope: scope };

  if (client.metadata) {
    access_token'https://example.com/urn'] = client.metadata.urn;
  }

  cb(null, access_token);
};

With the above hook in place you should now receive a JWT access token with an additional custom claim in the payload:

{
  "iss": "https://[your_account].auth0.com/",
  "sub": "[your_client]@clients",
  "aud": "https://api.example.com",
  "exp": 1498207694,
  "iat": 1498121294,
  "scope": "read:examples",
  "https://example.com/urn": "urn:example.com:c-one"
}

As an additional note, have in mind that the /userinfo endpoint is meant to provide information about an end-user and as such can be called by a suitable access token issued as part of an end-user related flow. For the client credentials grant (non-interactive clients) there is no end-user so that endpoint does not apply.

1 Like