How do I get a JWT for an authenticated user which has gone through the Post Login Action (for setting custom claims)?

aaandrew · November 3, 2023, 6:13pm

I have tried many ways of getting a JWT with my custom claims set on it from app_metadata, but without success.

I am developing a backend-only api (there will be a frontend build later) with authentication via Auth0. I am using the userId stored in the JWT to connect Auth0 users to data in my own application database. I need to also access other data which I’ve stored in app_metadata and which I set as a custom claim in a Post Login action. My problem is that I cannot get a JWT which was was created using my action. (I need the raw JWT to test my api) Either I get my JWT using /oath/token and my Post Login action is not triggered, or I login with a test frontend and I can’t get access to the raw JWT.

What I’ve tried:

Using postman/browser I’m able to visit this endpoint in my browser: https://{{auth0_domain}}/authorize?response_type=code&client_id={{auth0_client_id}}&redirect_uri={{redirect_uri}}&audience={{audience}}

This gives me a code which I can exchange for a JWT by posting to https://{{auth0_domain}}/oauth/token, but it this does not go through my post login action (so it is missing the custom claims).

I’ve also tried logging in to a test frontend app and I can see that the claims are being set correctly, but I’m not able to get access to my JWT. I know it is set in my browser, but it seems like I’m not supposed to be able to access it.

rueben.tiow · November 7, 2023, 3:46pm

Hi @aaandrew,

Welcome to the Auth0 Community!

To get a JWT access token for a user who has authenticated and triggered the Post-Login Action, please follow our Call Your API Using the Authorization Code Flow documentation.

I see that you are on the right track, as you are already calling the /authorize endpoint to get a code to exchange it for an access token to the /oauth/token endpoint.

Everything looks correct. However, since you have not been getting the custom claims, I would recommend reviewing your Action script and using console.log() statements to debug and see what is preventing the claims from being appended.

I would also urge you to check out our Adding custom claims to tokens FAQ.

Please let me know how this goes for you.

Thanks,
Rueben

aaandrew · November 7, 2023, 4:45pm

Thanks for your response @rueben.tiow. You recommended reviewing my Action script and using console.log(), but I’m confused where the logs would be?

If you mean using the test tool that looks like this (which seems to be the only way to see logs):

Then that is already working, and you can see the result from that below shows that my custom claim is being set properly:

Test Results
Commands:
[
  {
    "key": "addedToAppDB",
    "target": "application",
    "type": "SetMetadata",
    "value": true
  },
  {
    "key": "familyId",
    "target": "application",
    "type": "SetMetadata",
    "value": "a813549c-31e9-4b26-bad3-2af5be7b2fc5"
  },
  {
    "name": "https://my-domain.com/familyId",
    "target": "idToken",
    "type": "SetCustomClaim",
    "value": "a813549c-31e9-4b26-bad3-2af5be7b2fc5"
  }
]

As I tried to explain in my original post, my action does seem to be working. My problem is that the post login action never even gets run if you are logging in by calling the /authorize endpoint to get a code to exchange for an access token from the /oauth/token endpoint.

rueben.tiow · November 14, 2023, 12:21am

Hi @aaandrew,

Thanks for the update.

You could use the Real-time Webtask Logs Extension to monitor the action script’s execution in a login flow. Could you give it a try and let me know what happens?

Thanks,
Rueben

system · November 28, 2023, 12:21am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.