How can I access custom user properties in my custom action?

Hi,

I’m trying to implement a custom post-login action. I’ve setup an enterprise connection (OIDC), which itself provides custom claims to the user object after login.
Example:

{
    "created_at": "2021-07-26T13:43:47.409Z",
    "family_name": "Mantz",
    "given_name": "Maximilian",
    "identities": [
        {
            "user_id": "my-oidc-connection|my-user-id",
            "provider": "oidc",
            "connection": "my-oidc-connection",
            "isSocial": false
        }
    ],
    "idp": "local",
    "name": "Maximilian Mantz",
    // these are the custom claims
    "master_roles": [
        "isAdmin",
        "access:read",
        "access:write"
    ],
    // ...
}

In my custom action, I would like to forward these claims in the idToken and accessToken like this:

const roleIdentifier = "master_roles";
if (event.user[roleIdentifier]) {
  api.idToken.setCustomClaim("https://master.com/roles", event.user[roleIdentifier]);
  api.accessToken.setCustomClaim("https://master.com/roles", event.user[roleIdentifier]);
}

However when this action executes, the claims are not written into the tokens. When I test the action and customize the user object by inserting the roles into the user object manually, it works perfectly. But it seems like in production the event.user object does not contain the custom claims.

EDIT:
When using rules, accessing these claims works. However, it seems that rules will be deprecated soon. How can I achieve this behavior using actions?

Thanks in advance!

1 Like

I am also having this problem with our implementation. Auth0, please advise

FWIW, I have been able to work around this limitation by explicitly loading the user via the Admin API. Unfortunately, this won’t scale well, because you will run into API rate limits at higher usage.

I’m really hoping the folks at Auth0 rectify this shortcoming soon!

Ben Schreiber
Adaptive Biotechnologies

My workaround was to use rules instead of actions. Rules will be deprecated soon however and every part of the Auth0 documentation presents actions as a better alternative. In this case however, this is not true.