I’ve set up a Log in Action in my tenant that adds the user’s email to the token. It works great with my React application integration.
However, when I set up a server-side Oauth 2.0 Authorization Code Flow so I can use an Auth0-generated access token for my custom API from a Retool environment, the email does not appear in the token.
Is this because using a server-side flow is counted as a machine-to-machine token and not a “log in”? This process does require the user to authenticate, so I would expect the email to be included. Note that I’m not using the Oauth 2.0 Client Credentials flow, in which it would be expected to not have the token associated with a user.
Thanks for the reply. Yes, the user is being redirected to the Universal Sign-on Page and entering their username and password (or using some other connection), then gets redirected back to Retool with the token. Retool then uses that token when sending requests to the custom API.
I don’t have access to the requests, as they are handled by the Retool integration. They keep the request information private and it doesn’t seem to be debuggable. All I can do is pass information into their widget:
Is it possible something on their end is stripping the email from the token? Or would the token be issued by an Auth0 system that doesn’t use the post-login action?
It is impossible because once a token is issued, it cannot be changed; they are immutable. Based on what you have shared, Retool is only using the token to make the request and not generating a new token. The token is generated from the initial step, where the user logs in using their credentials. Using the authorization code flow will trigger the post-login action.
In this case, could you try decoding the access token before Retool uses it to send requests to the custom API?
I expect the decoded token to contain the email in the access token at that point of the flow.
Additionally, could you check your Auth0 Logs and look for a successful login event matching the login you performed? Then check the Action Details tab to see if the email is being added as a custom claim to the access token.
Thanks for the thoughts. And yes, makes total sense data can’t be stripped out of the token after it’s issued.
I’ve actually redone our system to use Auth0 user ID’s instead of emails and am no longer using the post-login action to add the email to the token. So I’m not able to do further testing on this at the moment, but appreciate your willingness to help!