Help needed: Custom claim not appearing in token/userinfo from Complement Token Action
I'm working on integrating Zitadel with pgAdmin using OAuth2. My goal is to include a custom
I've created a Complement Token script to flatten the
For example, even this simplified test script doesn't work:
I've ensured:
- The script is enabled and attached to the correct Trigger: Pre Userinfo Creation, Pre Access Token Creation
- The user has valid roles
- I'm inspecting
Still, only the default Zitadel claims are returned. My custom claim (
Am I missing something for Complement Token Actions to take effect? Do I need to adjust scopes or project settings to expose custom claims?
Here's a screenshot of my action configuration and a copy of the script. Any guidance would be much appreciated!
Thanks in advance!
My Script:
rolesroles claim in the ID token and userinfo response, so I can leverage OAUTH2_ADDITIONAL_CLAIMSOAUTH2_ADDITIONAL_CLAIMS in pgAdmin for access control.I've created a Complement Token script to flatten the
grantsgrants structure and set a custom rolesroles claim. However, neither this dynamic claim nor even a simple static claim (for testing) appears in the ID token or userinfo output.For example, even this simplified test script doesn't work:
function flatRoles(ctx, api) {
api.v1.claims.setClaim("test", "hello");
}function flatRoles(ctx, api) {
api.v1.claims.setClaim("test", "hello");
}I've ensured:
- The script is enabled and attached to the correct Trigger: Pre Userinfo Creation, Pre Access Token Creation
- The user has valid roles
- I'm inspecting
userinfouserinfo and the tokentoken in pgAdmin logsStill, only the default Zitadel claims are returned. My custom claim (
testtest or rolesroles) is never visible. Am I missing something for Complement Token Actions to take effect? Do I need to adjust scopes or project settings to expose custom claims?Here's a screenshot of my action configuration and a copy of the script. Any guidance would be much appreciated!
Thanks in advance!
My Script:
/**
* Flatten roles into a top-level "roles" claim.
* Format: "roles": ["role1", "role2", ...]
*
* Flow: Complement Token
* Triggers: Pre Userinfo Creation, Pre Access Token Creation
*
* @param ctx
* @param api
*/
function flatRoles(ctx, api) {
const userGrants = ctx.v1.user?.grants?.grants;
if (!userGrants || userGrants.length === 0) {
return;
}
const flatRoles = [];
userGrants.forEach(grant => {
if (grant.roles && grant.roles.length > 0) {
grant.roles.forEach(role => flatRoles.push(role));
}
});
if (flatRoles.length > 0) {
api.v1.claims.setClaim("roles", flatRoles);
}
}/**
* Flatten roles into a top-level "roles" claim.
* Format: "roles": ["role1", "role2", ...]
*
* Flow: Complement Token
* Triggers: Pre Userinfo Creation, Pre Access Token Creation
*
* @param ctx
* @param api
*/
function flatRoles(ctx, api) {
const userGrants = ctx.v1.user?.grants?.grants;
if (!userGrants || userGrants.length === 0) {
return;
}
const flatRoles = [];
userGrants.forEach(grant => {
if (grant.roles && grant.roles.length > 0) {
grant.roles.forEach(role => flatRoles.push(role));
}
});
if (flatRoles.length > 0) {
api.v1.claims.setClaim("roles", flatRoles);
}
}
