Rules to Actions. Add custom field to id Token JWT body

dmytro.demakov · January 27, 2022, 2:03pm

We currently use simple “Username-Password-Authentication” connection to our custom database and request the next scopes: ‘openid email connection’. Also using google IdP with the same rules.

AFAIU all three scopes data should go to the id token JWT body, first two comes right from the user db data, but “connection” was added via the next Rule:

function (user, context, callback) {
    user.connection = context.connection;
    callback(null, user, context);
}

Bt now we are migrating to to Actions and I don’t see how to do this in Actions.

I’ve tried to set custom claim to the ID Token

api.idToken.setCustomClaim('connection', event.connection.name);

or to set “connection” prop directly to the “event.user” but both didn’t help.

Please assist.

rueben.tiow · January 27, 2022, 6:31pm

Hi @dmytro.demakov,

Thanks for reaching out to the Auth0 Community!

I understand you are migrating from Rules to Actions and have some questions about setting custom claims to the ID Token.

To do so, you will need to prepend a namespace to your custom claims. Note that a custom claim must take the form of a URI and cannot use reserved namespaces. See below for an example.

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/connection `, event.connection.name);
  }
};

You may also find these Action examples helpful.

Please let me know if there’s anything else I can do to help.

Thank you.

dmytro.demakov · January 27, 2022, 9:34pm

Hey @rueben.tiow , thanks a lot for you answer, but let’s clarify some related questions.

Previously, with Rules, we didn’t use namespaced claims, we just set “connection” to the “user”, right how it was specified in the “scopes”.

Currently, you recommend use using namespace claims, so some questions are coming:
1 - should we update our scopes prop with this new namespaced ID instead of “connection”?
2 - AFAIU it will come to the JWT body with this URL like prop as well, right?
3 - So we will need to update our BE logic to get this updated parameter from JWT body (replace “connection”), correct?

Thanks in advance:)

rueben.tiow · January 27, 2022, 10:25pm

Hi @dmytro.demakov,

Thank you for your response.

That is quite interesting. I am unsure how the Rule managed to work without a namespace. But, all of our examples illustrate with a namespace. If you have a moment, please take a look at this doc for clarity on appending custom claims in Rules.

No, you will not need to do that. The claims are appended to the ID token post-authentication, and writing the Action will suffice for that. The scope parameter is used to specify the permissions for API access (i.e read:reports). See here for details.

Yes, your custom claims will appear in the JWT body payload. For example, you will see something like

{
  "https://my-app.example.com/connection": "Username-Password-Authentication",
  ... other claims below
}

Yes, you can decode the JWT token to get the custom claim in the payload data.

Hoped this helps!

Thank you.

dmytro.demakov · January 31, 2022, 2:26pm

Dear @rueben.tiow,
It looks like I need some more assistance from your side.

I’ve just tried to set the namespaced custom claim to my id token within the Action, but don’t see any changes in my JWT body

I tried different urls for namespace, incl our Auth0 subdomain /oauth/ro request url (https://{our-tenant-name}.auth0.com) and our actual staging website url, but no luck.

I event just tried to add id token custom claim directly in the Rule via next code:

function (user, context, callback) {
  const namespace = 'http://test.net';

  let idTokenClaims = context.idToken || {};
  idTokenClaims[`${namespace}/test`] = 'test';
  context.idToken = idTokenClaims;
 
  callback(null, user, context);
}

But it doesn’t work as well.

Do you have any more ideas why parameter doesn’t go to the id token JWT?

rueben.tiow · February 3, 2022, 6:13pm

Hi @dmytro.demakov,

Thank you for your response.

Could you please share your Action script?

Unfortunately, this is to be expected and you cannot use an Auth0 reserved namespace, which includes:

auth0.com
webtask.io
webtask.run

Lastly, I have just tested your Rule, and everything works. I’ve checked the ID token and obtained the "http://test.net/test" : "test" claim. I attached a snippet of my payload:

Thanks.

system · February 18, 2022, 6:14pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.