Getting client metadata in non-interactive clients access tokens

You should be able to accomplish your requirements by implementing a client credentials hook that will let you add additional custom claims into the issued access tokens. The hook logic would have access to the client metadata data and as such you could add the claims you are interested to received in the API. Have in mind that custom claims added need to use a namespace so there’s no risk that they clash with standard ones.

A sample implementation for the hook could be the following:

module.exports = function(client, scope, audience, context, cb) {
  var access_token = { scope: scope };

  if (client.metadata) {
    access_token'https://example.com/urn'] = client.metadata.urn;
  }

  cb(null, access_token);
};

With the above hook in place you should now receive a JWT access token with an additional custom claim in the payload:

{
  "iss": "https://[your_account].auth0.com/",
  "sub": "[your_client]@clients",
  "aud": "https://api.example.com",
  "exp": 1498207694,
  "iat": 1498121294,
  "scope": "read:examples",
  "https://example.com/urn": "urn:example.com:c-one"
}

As an additional note, have in mind that the /userinfo endpoint is meant to provide information about an end-user and as such can be called by a suitable access token issued as part of an end-user related flow. For the client credentials grant (non-interactive clients) there is no end-user so that endpoint does not apply.

1 Like