When logging in with a username password combo my custom claims are encoded, but that isn’t the case when I go through the Oauth2.0 flow. My custom claims are in the id token, but not in the access token.
I don’t think it’s safe to gate api access on an id token so this won’t work
Hi @david.zirinsky,
Can you explain what you mean by “Oauth2.0 flow”? Do you have an example of the call you are making?
Two was to get the tokens missing claims:
Going through the oauth flow does not encode claims in our access token. Going through the tutorial at: Auth0 Python SDK Quickstarts: Login yields a token that can no custom claims. The same can be seen with the follow curl command:
curl --location --request POST ‘https://MY_AUTH0_DOMAIN/oauth/token’ \
–header ‘content-type: application/x-www-form-urlencoded’ \
–data-urlencode ‘grant_type=refresh_token’ \
–data-urlencode 'client_id=OUR CLIENT ID \
–data-urlencode ‘client_secret=OUR SECRET’ \
–data-urlencode ‘refresh_token=VALID_REFRESH_TOKEN’
Can you please share an example of the Action you are using to add custom claims?
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'our_namespace';
const { field_1, field_2, field_3, field_4 } = event.user.user_metadata;
if (event.authorization) {
// Set claims
api.accessToken.setCustomClaim(`${namespace}/field_1`, field_1);
api.accessToken.setCustomClaim(`${namespace}/field_2`, field_2);
api.accessToken.setCustomClaim(`${namespace}/field_3`, field_3);
api.accessToken.setCustomClaim(`${namespace}/account_uuid`, account_uuid);
api.idToken.setCustomClaim(`${namespace}/field_1`, field_1);
api.idToken.setCustomClaim(`${namespace}/field_2`, field_2);
api.idToken.setCustomClaim(`${namespace}/field_3`, field_3);
api.idToken.setCustomClaim(`${namespace}/field_4`, field_4);
}
};
Make sure your namespace follows the guidelines:
Also, can you confirm you are sending an audience param with your requests? You may not be requesting a JWT.