Strange namespace requirement for rule "Add email to access token"

dorin.clisu · February 1, 2021, 9:02am

I am trying to include user email in the access token and I found there is already such a rule in Access Control category.

The strange thing I noticed is that, it does not accept any arbitrary namespace.

function addEmailToAccessToken(user, context, callback) {
  // This rule adds the authenticated user's email address to the access token.
  var namescape = 'example.com';
  context.accessToken[namespace + '/email'] = user.email;
  return callback(null, user, context);
}

When I say it doesn’t work I mean it silently fails to add the claim.

https://my-api-audience → works
http://my-api-audience → works
rule → doesn’t work
abc123 → doesn’t work
http://rule → works

What’s the logic behind all this?

dorin.clisu · January 30, 2021, 5:18pm

I’m sorry, I tried editing the post but I don’t have permission.

Just to make sure, when I tried the combinations, I changed nothing else but the rule code, and called the /oauth/token endpoint then inspected the access_token on jwt.io.

Is it reasonable to say that the rule exepcts the namespace to be prefixed with http:// or https://? Why not allow arbitrary strings?