11011011
1101101122h ago

Bearer token type does not trigger 'preaccesstoken' v2 action not triggered

Hi, I have a project application configured as shown on the picture. Token settings: Bearer token. Actions V2 configured like this: 
 "condition": {
     "function": {
         "name": "preaccesstoken"
     }
 },
 "targets": [
     "340015244522941234"
 ]     
 "condition": {
     "function": {
         "name": "preaccesstoken"
     }
 },
 "targets": [
     "340015244522941234"
 ]
For now my target webhook is just there to print request body and to attach some claims for testing. When the token type is JWT, preaccesstoken action is triggered, response is modified and everything is fine. When the token type is Bearer, "preaccesstoken" action is not triggered. Bearer token is a bit shorter compared to JWT and we prefer to use it because we can easily store it in secure storage on different mobile platforms, while JWT can be too big sometimes. We would use token introspection where we would provide Bearer token and receive claims that we could dynamically attach using preaccesstoken action, but unfortuantelly it does not work. Is that expected behavior and if so, why?
No description
2 Replies
Ask Inkeep
Ask Inkeep22h ago
Hi @11011011, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer about why preaccesstoken Actions v2 don't trigger with Bearer tokens, here are some relevant sources: 1. Migrate from Actions v1 to v2 (1) : This covers the migration from Actions v1 to v2 and mentions different flow types and triggers for authentication events. 2. [Bug]: Opaque token not working when creating user with custom userId (2) : This GitHub issue describes a similar problem where opaque tokens weren't working properly with custom user IDs, and switching to JWT tokens resolved the issue. I'd recommend clicking the "Ask for help" button to tag a team member who can provide specific details about Actions v2 behavior with Bearer/opaque tokens versus JWT tokens. ​ To learn more, see the sources I considered: [1] Migrate from Actions v1 to v2 [2] [Bug]: Opaque token not working when creating user with custom userId ​ Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
11011011
11011011OP22h ago
I would like to add an additional question about the token introspection - token type is JWT in this case and preaccesstoken action is triggered. In my golang webhook app I append some claims which I see in the JWT token that I receive. Later I want to introspect that token and in introspection response I don't see the claims that were appended to the token using preaccesstoken action. Is that a bug or my assumptions where I expected to have all the claims appended to the token will be available when I do an introspection are wrong? (I know I can read it all from the provided JWT once when token is verified using JWK or introspection, I'm just writing to add a more context to the initial question where the same thing would happen if the bearer token type is used).

Did you find this page helpful?