How do I encode custom claims in the access token JWT returned from the oauth 2.0 flow?

When logging in with a username password combo my custom claims are encoded, but that isn’t the case when I go through the Oauth2.0 flow. My custom claims are in the id token, but not in the access token.

I don’t think it’s safe to gate api access on an id token so this won’t work

Hi @david.zirinsky,

Can you explain what you mean by “Oauth2.0 flow”? Do you have an example of the call you are making?

Two was to get the tokens missing claims:

Going through the oauth flow does not encode claims in our access token. Going through the tutorial at: Auth0 Python SDK Quickstarts: Login yields a token that can no custom claims. The same can be seen with the follow curl command:

curl --location --request POST ‘https://MY_AUTH0_DOMAIN/oauth/token’ \

–header ‘content-type: application/x-www-form-urlencoded’ \

–data-urlencode ‘grant_type=refresh_token’ \

–data-urlencode 'client_id=OUR CLIENT ID \

–data-urlencode ‘client_secret=OUR SECRET’ \

–data-urlencode ‘refresh_token=VALID_REFRESH_TOKEN’

Can you please share an example of the Action you are using to add custom claims?

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'our_namespace';
  const { field_1, field_2, field_3, field_4 } = event.user.user_metadata;

  if (event.authorization) {
    // Set claims 
    api.accessToken.setCustomClaim(`${namespace}/field_1`, field_1);
    api.accessToken.setCustomClaim(`${namespace}/field_2`, field_2);
    api.accessToken.setCustomClaim(`${namespace}/field_3`, field_3);
    api.accessToken.setCustomClaim(`${namespace}/account_uuid`, account_uuid);
    api.idToken.setCustomClaim(`${namespace}/field_1`, field_1);
    api.idToken.setCustomClaim(`${namespace}/field_2`, field_2);
    api.idToken.setCustomClaim(`${namespace}/field_3`, field_3);
    api.idToken.setCustomClaim(`${namespace}/field_4`, field_4);
  }
};

@david.zirinsky,

Make sure your namespace follows the guidelines:

Also, can you confirm you are sending an audience param with your requests? You may not be requesting a JWT.