I have an m2m application and am trying to get a new oauth token using the POST ‘oauth/token’ endpoint.
Looking at the Authentication API - Get Token docs, the request parameters show the following.
When testing this endpoint, I am able to send additional custom key/value pairs in the request body. Below is a sample request.
response = httpx.post(
f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
json={
"grant_type": "client_credentials",
"client_id": CONFIG.client_id,
"client_secret": CONFIG.client_secret,
"audience": CONFIG.API_AUDIENCE,
"test_metadata": "test-metadata" // custom key/value pair
},
)
I’m wondering if including additional custom data is allowed and just not documented or if this is potentially a bug and should be avoided?
Hi @brian.flannery , welcome to Auth0!
In this case the additional parameter is ignored by the server.
For example, sending both:
1.
url --request POST \
--url https://{auth0_domain}/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials"}'
url --request POST \
--url https://{auth0_domain}/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials", "random_metadata":"random_value"}'
results in receiving a bearer token with scopes and expiry time as set in the Auth0 dashboard.
Is this also a behaviour that you can observe? Please let us know any questions.
I do see that the server ignores the additional custom field by default, however I don’t expect this out of box and am trying to use an action to manually set this field.
Use case : I want to add the additional metadata to the access token via setting custom claims.
Below is a breakdown on my workflow
Send HTTP request to oauth/token
to get an access token. Here is my sample request
response = httpx.post(
f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
json={
"grant_type": "client_credentials",
"client_id": CONFIG.client_id,
"client_secret": CONFIG.client_secret,
"audience": CONFIG.API_AUDIENCE,
"test_metadata": "test-metadata" // custom key/value pair
},
)
Add a Machine-to-Machine action to intercept the Token Request ↔ Token Issued
Get the test_metadata
data field from the event.request.body
and set api.accessToken.setCustomClaim
equal to the field value
When my server receives and decodes this token, I’m able to grab the custom claim data from the payload
Testing all this locally I am able to get the custom field on to my access token as I want.
What I want to confirm though is that being able to send the custom field via the /oauth/token
and grabbing it from the action event, is a valid approach and not just a loophole in the endpoint ↔ event action.
Hi @brian.flannery ,
Thanks for your patience.
It is a valid approach, feel free to build on that.
system
Closed
December 19, 2023, 7:06am
6
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.