Unable to add custom claim to access token using custom action

Get Help
,
1

Hi

I am trying to add a custom claim to my access tokens using a custom action:

exports.onExecutePostLogin = async (event, api) => {
  // This adds the authenticated user's email address to the access token.
  if (event.authorization) {
    const namespace = 'https://foo.com';
    api.accessToken.setCustomClaim(`${namespace}/claims/userId`, event.user.user_id);
  }
};```

I retrieve an access token using the new PKCE grant type for OAuth 2.0 Authorisation in Postman 10.6.7

I am getting an access token back but the payload is empty.

Any ideas on what I'm doing wrong?

Thanks
2

Hi @benmsullivan

Thanks for getting in touch with us at Auth0 Community.

If the payload is empty please ensure you are including an audience as part of your /authorize for PKCE e.g.

https://YOUR_DOMAIN/authorize?
    response_type=code&
    code_challenge={codeChallenge}&
    code_challenge_method=S256&
    client_id=YOUR_CLIENT_ID&
    redirect_uri={yourCallbackUrl}&
    scope=SCOPE&
    audience={apiAudience}

https://auth0.com/docs/get-started/authentication-and-authorization-flow/call-your-api-using-the-authorization-code-flow-with-pkce#example-authorization-url

Warm regards.

3

Hi @SaqibHussain

I have added the client id as the audience in the Postman config but I still don’t see the custom claim on the access token…

4

Hi @benmsullivan

The audience needs to be the api identifier i.e. the target for the access token, it will be a uri please see this community post for more info https://community.auth0.com/t/what-is-the-audience/71414

Warm regards.

5

Thanks @SaqibHussain

So I created a new API (was wondering what that was for) and set the audience config in postman to the URI configured in the Auth0 API audience field.

Still no custom claim in access token :frowning:

6

What grant types do I need on my application for PKCE? I only have Authorisation Code switched on as I don’t want to issue refresh tokens…

7

Just also wondering why there are no claims at all in the access token payload? Shouldn’t “sub” be in there?

8

Hi @benmsullivan

Yes should be some claims unless your access token is still opaque which is shouldn’t be if you included an audience in your /authorize request, see my test below:

https://your-domain/authorize?
response_type=code&
code_challenge=DNfupk731FmSqmTiRooflxhiOx9Ag6NrpLJUGqofX3s&
code_challenge_method=S256&
client_id=yvGWLFsJ06nWfQO4VfbRpeweT8IY3SmA&
redirect_uri=https://jwt.io&
scope=openid%20profile%20email&
audience=http://myapi.com/api