JWT token isn't saved in rule

I have problem with rule after signUp and login user. I am using Auth0Lock v10 and option loginAfterSignUp is left as default ( true ).

My rule saves user.email into JWT (accessToken) token (see below), but this email isn’t set in my event callback authenticated. Keys which are in JWT (accessToken) are aud, azp, exp, sub etc. but no https://example.io/email. If I debug rule in Real-time Webtask Logs my console.logs are visible and JWT (accessToken) is properly set, even after first login.

After logout and login again is my JWT (accessToken) token OK and email is visible.

My rule:

function (user, context, callback) { 
  console.log('add-user_metadata-to-token_id - start');
  console.log('add-user_metadata-to-token_id - user ', user);
  console.log('add-user_metadata-to-token_id - context: ', context);
  var namespace = 'https://example.io/';
  context.accessToken[namespace + 'email'] = user.email;
  console.log('add-user_metadata-to-token_id - idToken', context.idToken);
  console.log('add-user_metadata-to-token_id - accessToken', context.accessToken);
  callback(null, user, context);

Auth-lock version: 10.24.1

  leeway: 30, 
  theme: {
    primaryColor: '#6e40ff',
    logo: amioLogoImage
  allowShowPassword: true,
  languageDictionary: {
    title: ''
  oidcConformant: true,
  autoclose: true,
  rememberLastLogin: true,
  auth: {
    redirectUrl: 'http://localhost:9000/app/login',
    autoParseHash: true,
    sso: true,
    responseType: 'token',
    audience: 'https://example.io'
  additionalSignUpFields: {
    name: 'webapp_url',
    placeholder: 'webapp_url',
    prefill: getAuth0Props().webappUrl

Do you have any idea where is the problem or is this some kind of bug?

Using a smaller version of the rule you shows (without the log statements) I could not reproduce the issue and the issued access token contained the custom claim with the user email address. Given that both access tokens and ID tokens can be JWT it might be better to specific and use that terminology instead of JWT token which may refer to one or to the other.

If you can reproduce this consistently you should update your question with the exact Lock configuration you’re using and also the exact Lock version being used so that troubleshooting can be done in equal terms.

In addition, have in mind that access tokens are not meant to be parsed by client application so if you want to have access to the email address in a browser-based application you should request that the email be included as part of the issued ID token (you can do that by making an OIDC request with scope containing openid and email.

Thanks for your response.

After downgrade version Auth0-lock to 10.20.0 it is working good, so it’s look there was some problem with version 10.24.1.

Auth0-lock version 11 problem: Bug: Access token missing custom fields added in rule - Auth0 Community