Oauth/token request payload custom key/values

Help
,
1

I have an m2m application and am trying to get a new oauth token using the POST ‘oauth/token’ endpoint.

Looking at the Authentication API - Get Token docs, the request parameters show the following.

Screenshot 2023-11-30 at 8.07.09 PM
Screenshot 2023-11-30 at 8.07.09 PM2378×1312 374 KB

When testing this endpoint, I am able to send additional custom key/value pairs in the request body. Below is a sample request.

    response = httpx.post(
        f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
        json={
            "grant_type": "client_credentials",
            "client_id": CONFIG.client_id,
            "client_secret": CONFIG.client_secret,
            "audience": CONFIG.API_AUDIENCE,
            "test_metadata": "test-metadata" // custom key/value pair
        },
    )

I’m wondering if including additional custom data is allowed and just not documented or if this is potentially a bug and should be avoided?

2

Hi @brian.flannery , welcome to Auth0!

In this case the additional parameter is ignored by the server.
For example, sending both:
1.

url --request POST \
  --url https://{auth0_domain}/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials"}'


url --request POST \
  --url https://{auth0_domain}/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials", "random_metadata":"random_value"}'

results in receiving a bearer token with scopes and expiry time as set in the Auth0 dashboard.

Is this also a behaviour that you can observe? Please let us know any questions.

3

I do see that the server ignores the additional custom field by default, however I don’t expect this out of box and am trying to use an action to manually set this field.

Use case: I want to add the additional metadata to the access token via setting custom claims.
Below is a breakdown on my workflow

  1. Send HTTP request to oauth/token to get an access token. Here is my sample request
 response = httpx.post(
        f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
        json={
            "grant_type": "client_credentials",
            "client_id": CONFIG.client_id,
            "client_secret": CONFIG.client_secret,
            "audience": CONFIG.API_AUDIENCE,
            "test_metadata": "test-metadata" // custom key/value pair
        },
    )
  1. Add a Machine-to-Machine action to intercept the Token Request ↔ Token Issued

Screenshot 2023-12-01 at 9.34.29 AM
Screenshot 2023-12-01 at 9.34.29 AM3020×1552 326 KB

  1. Get the test_metadata data field from the event.request.body and set api.accessToken.setCustomClaim equal to the field value

Screenshot 2023-12-01 at 9.27.06 AM
Screenshot 2023-12-01 at 9.27.06 AM3024×1554 508 KB

  1. When my server receives and decodes this token, I’m able to grab the custom claim data from the payload

Screenshot 2023-12-01 at 9.45.43 AM
Screenshot 2023-12-01 at 9.45.43 AM1790×1102 151 KB

Testing all this locally I am able to get the custom field on to my access token as I want.

What I want to confirm though is that being able to send the custom field via the /oauth/token and grabbing it from the action event, is a valid approach and not just a loophole in the endpoint ↔ event action.

5

Hi @brian.flannery ,
Thanks for your patience.

It is a valid approach, feel free to build on that.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.