How do I read the audience inside a rule?


There will be a different audience for each deployment environment.
I’m using the password flow to make and test the tokens.
The dotnet core API is going to be done around OAuth like in these samples:, so it’s gonna use JWT tokens created by an app.

And I was trying to push the user roles into the tokens. It works with a rule like this that I’ve taken from other examples like this one: Get the user role on Login.

function (user, context, callback) {
  var roles = user.roles || (context.authorization && context.authorization.roles);
  if (roles && roles.length)
        var ns = 'https://localhost:8443/api/';
		context.accessToken[ns + 'roles'] = roles;
		context.idToken[ns + 'roles'] = roles;
  return callback(null, user, context);

This is what I get as claims in the API, from the token, which is great:

        "type": "https://localhost:8443/api/roles",
        "value": "Demo"
        "type": "https://localhost:8443/api/roles",
        "value": "User"

But that means I had to hard code a namespace that is my audience and that’s not going to work with my deployment environments.
It doesn’t work without a namespace – so ‘context.accessToken.roles’ doesn’t end up in the claims, and that namespace cannot be my domain – for some obscure reason. :slight_smile:
To avoid hard coding my audience, I was looking into getting it from somewhere inside the rule, but I did not manage.

Also I might be doing this the wrong way, from the design pov.

Any help would be appreciated,


Hi @lnaie

See this doc:

Namespaces are arbitrary identifiers, they do not need to be based on the audience. Is there a reason you need different claim namespaces for the different environments?


I see your point.

Thanks a lot,