How to Pass Custom Data in POST Requests to 'oauth/device/code' with Device Code Flow

Overview

This article will explain how to pass how to pass custom data with POST requests using the Device Code Flow.

  • It is possible to do this with a post-login action when making requests to the oauth/token endpoint in a Machine-to-Machine Client Credentials action, but this does not work with the Device Code Flow in the same way.
  • According to the document Device code parameters, the only parameters that can be passed in a POST call to oauth/device/code are client_id, scope, and audience.

Applies To

  • Actions
  • Device Code Flow
  • ID Tokens
  • Custom Claims

Solution

To pass custom data from the Device Code Flow, use the scopes sent in the initial request to oauth/device/code and use the Post-Login Action event.transaction object to inspect the requested scopes.

  1. In the POST call to /oauth/device/code (example here: Example POST to device code URL), include YOUR_CUSTOM_SCOPE as a scope.
  2. Create and deploy a Post-Login Action that looks like this:
exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-namespace';
  if (event.transaction) {
    const scopes = event.transaction.requested_scopes;
      if (scopes.includes('YOUR_CUSTOM_SCOPE')) {
        api.idToken.setCustomClaim(`${namespace}/env`, 'YOUR_CUSTOM_SCOPE');
      } 
  }
};

The ID Token will have ‘YOUR_CUSTOM_SCOPE’ added as a custom claim.

Related Resources