Oauth/token request payload custom key/values

I have an m2m application and am trying to get a new oauth token using the POST ‘oauth/token’ endpoint.

Looking at the Authentication API - Get Token docs, the request parameters show the following.

When testing this endpoint, I am able to send additional custom key/value pairs in the request body. Below is a sample request.

    response = httpx.post(
        f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
        json={
            "grant_type": "client_credentials",
            "client_id": CONFIG.client_id,
            "client_secret": CONFIG.client_secret,
            "audience": CONFIG.API_AUDIENCE,
            "test_metadata": "test-metadata" // custom key/value pair
        },
    )

I’m wondering if including additional custom data is allowed and just not documented or if this is potentially a bug and should be avoided?

Hi @brian.flannery , welcome to Auth0!

In this case the additional parameter is ignored by the server.
For example, sending both:
1.

url --request POST \
  --url https://{auth0_domain}/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials"}'

url --request POST \
  --url https://{auth0_domain}/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"xxx","client_secret":"xxx","audience":"xxx/api/v2/","grant_type":"client_credentials", "random_metadata":"random_value"}'

results in receiving a bearer token with scopes and expiry time as set in the Auth0 dashboard.

Is this also a behaviour that you can observe? Please let us know any questions.

I do see that the server ignores the additional custom field by default, however I don’t expect this out of box and am trying to use an action to manually set this field.

Use case: I want to add the additional metadata to the access token via setting custom claims.
Below is a breakdown on my workflow

  1. Send HTTP request to oauth/token to get an access token. Here is my sample request
 response = httpx.post(
        f"https://{CONFIG.AUTH0_DOMAIN}/oauth/token",
        json={
            "grant_type": "client_credentials",
            "client_id": CONFIG.client_id,
            "client_secret": CONFIG.client_secret,
            "audience": CONFIG.API_AUDIENCE,
            "test_metadata": "test-metadata" // custom key/value pair
        },
    )
  1. Add a Machine-to-Machine action to intercept the Token Request ↔ Token Issued

  1. Get the test_metadata data field from the event.request.body and set api.accessToken.setCustomClaim equal to the field value

  1. When my server receives and decodes this token, I’m able to grab the custom claim data from the payload

Testing all this locally I am able to get the custom field on to my access token as I want.

What I want to confirm though is that being able to send the custom field via the /oauth/token and grabbing it from the action event, is a valid approach and not just a loophole in the endpoint ↔ event action.

Hi @brian.flannery ,
Thanks for your patience.

It is a valid approach, feel free to build on that.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.