I have an m2m application and am trying to get a new oauth token using the POST ‘oauth/token’ endpoint.
Looking at the Authentication API - Get Token docs, the request parameters show the following.
When testing this endpoint, I am able to send additional custom key/value pairs in the request body. Below is a sample request.
response = httpx.post(
f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
json={
"grant_type": "client_credentials",
"client_id": CONFIG.client_id,
"client_secret": CONFIG.client_secret,
"audience": CONFIG.API_AUDIENCE,
"test_metadata": "test-metadata" // custom key/value pair
},
)
I’m wondering if including additional custom data is allowed and just not documented or if this is potentially a bug and should be avoided?
Hi @brian.flannery , welcome to Auth0!
In this case the additional parameter is ignored by the server.
For example, sending both:
1.
url --request POST \
--url https://{auth0_domain}/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials"}'
url --request POST \
--url https://{auth0_domain}/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials", "random_metadata":"random_value"}'
results in receiving a bearer token with scopes and expiry time as set in the Auth0 dashboard.
Is this also a behaviour that you can observe? Please let us know any questions.
I do see that the server ignores the additional custom field by default, however I don’t expect this out of box and am trying to use an action to manually set this field.
Use case: I want to add the additional metadata to the access token via setting custom claims.
Below is a breakdown on my workflow
- Send HTTP request to
oauth/token to get an access token. Here is my sample request
response = httpx.post(
f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
json={
"grant_type": "client_credentials",
"client_id": CONFIG.client_id,
"client_secret": CONFIG.client_secret,
"audience": CONFIG.API_AUDIENCE,
"test_metadata": "test-metadata" // custom key/value pair
},
)
- Add a Machine-to-Machine action to intercept the Token Request ↔ Token Issued
- Get the
test_metadata data field from the event.request.body and set api.accessToken.setCustomClaim equal to the field value
- When my server receives and decodes this token, I’m able to grab the custom claim data from the payload
Testing all this locally I am able to get the custom field on to my access token as I want.
What I want to confirm though is that being able to send the custom field via the /oauth/token and grabbing it from the action event, is a valid approach and not just a loophole in the endpoint ↔ event action.
Hi @brian.flannery ,
Thanks for your patience.
It is a valid approach, feel free to build on that.
