Unable to add custom claim to access token using custom action

benmsullivan · January 1, 2023, 9:45am

Hi

I am trying to add a custom claim to my access tokens using a custom action:

exports.onExecutePostLogin = async (event, api) => {
  // This adds the authenticated user's email address to the access token.
  if (event.authorization) {
    const namespace = 'https://foo.com';
    api.accessToken.setCustomClaim(`${namespace}/claims/userId`, event.user.user_id);
  }
};```

I retrieve an access token using the new PKCE grant type for OAuth 2.0 Authorisation in Postman 10.6.7

I am getting an access token back but the payload is empty.

Any ideas on what I'm doing wrong?

Thanks

SaqibHussain · January 1, 2023, 11:34am

Hi @benmsullivan

Thanks for getting in touch with us at Auth0 Community.

If the payload is empty please ensure you are including an audience as part of your /authorize for PKCE e.g.

https://YOUR_DOMAIN/authorize?
    response_type=code&
    code_challenge={codeChallenge}&
    code_challenge_method=S256&
    client_id=YOUR_CLIENT_ID&
    redirect_uri={yourCallbackUrl}&
    scope=SCOPE&
    audience={apiAudience}

https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow-with-pkce#example-authorization-url

Warm regards.

benmsullivan · January 1, 2023, 11:49am

Hi @SaqibHussain

I have added the client id as the audience in the Postman config but I still don’t see the custom claim on the access token…

SaqibHussain · January 1, 2023, 12:02pm

Hi @benmsullivan

The audience needs to be the api identifier i.e. the target for the access token, it will be a uri please see this community post for more info https://community.auth0.com/t/what-is-the-audience/71414

Warm regards.

benmsullivan · January 1, 2023, 12:15pm

Thanks @SaqibHussain

So I created a new API (was wondering what that was for) and set the audience config in postman to the URI configured in the Auth0 API audience field.

Still no custom claim in access token

benmsullivan · January 1, 2023, 12:20pm

What grant types do I need on my application for PKCE? I only have Authorisation Code switched on as I don’t want to issue refresh tokens…

benmsullivan · January 1, 2023, 12:30pm

Just also wondering why there are no claims at all in the access token payload? Shouldn’t “sub” be in there?

SaqibHussain · January 1, 2023, 1:08pm

Hi @benmsullivan

Yes should be some claims unless your access token is still opaque which is shouldn’t be if you included an audience in your /authorize request, see my test below:

https://your-domain/authorize?
response_type=code&
code_challenge=DNfupk731FmSqmTiRooflxhiOx9Ag6NrpLJUGqofX3s&
code_challenge_method=S256&
client_id=yvGWLFsJ06nWfQO4VfbRpeweT8IY3SmA&
redirect_uri=https://jwt.io&
scope=openid%20profile%20email&
audience=http://myapi.com/api

system · January 24, 2023, 4:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.