I’ve changed focus from setting a custom claim to setting app_metadata because I learned that my application is already looking in app_metadata.authorization.roles in the token to find roles.
My login action is like this:
exports.onExecutePostLogin = async (event, api) => {
if (event.authorization) {
var authorization = {"roles": event.authorization.roles}
api.user.setAppMetadata(`authorization`, authorization);
}
}
This does have the intended effect of populating app_metadata. Now I can at least be certain the action is functioning.
In my application (Caddy Security), I can see the OIDC id token and OAuth access token are received. The id token looks normal to me, but the access token has a null claimset.
There are no characters between the . separators, only the JWT header and signature are defined.