AshAuthentication: Generating JWT with extra claims

When tokens are enabled for a resource, there appears to be no way to customize the signed token with extra claims when using the AshAuthentication.Plug.

I tried manually defining routes for auth, but when I try to create the token manually with AshAuthentication.Jwt.token_for_user, I get duplicate tokens (Because store_all_tokens is true). If I set store_all_tokens? to false, I can manually create a token, but the token doesn’t get stored.

Question is, is it possible to add extra claims to the jwt when using the generated ash plug?

autentication do
    tokens do
        enabled? true
        token_resource AccountsService.Accounts.Token
        signing_secret AccountsService.Accounts.Secrets
        store_all_tokens? true
        require_token_presence_for_authentication? true
        token_lifetime {90, :days}

Hi @gordoneliel :wave:

So, looking at the code to refresh my memory, it seems that by default the primary key is the JTI, which is unique to every token so I don’t know how you could possibly be getting a conflict. Additionally, you can provide an alternative “purpose” for the token (defaults to "user") by passing the purpose option to token_for_user/3.

What I would probably do is customise your AuthController/AuthPlug success callback and have it ignore the auto-generated token and generate a new token with the claims you want.

I tried doing that, and going the full custom routes as well, but unfortunately the code for creating a token looks into the resource to check whether to store the token or not. If I leave it on, it works, but creates a duplicate token for one login request. If I turn off store_all_tokens? then nothing gets stored in the db.

  defp maybe_store_token(token, resource, user, purpose, opts) do
    if Info.authentication_tokens_store_all_tokens?(resource) do
      with {:ok, token_resource} <- Info.authentication_tokens_token_resource(resource) do
            "token" => token,
            "purpose" => to_string(purpose)
          Keyword.put(opts, :context, %{
            ash_authentication: %{
              user: user

Just to clarify, I’m not getting a conflict, what happens is that two tokens get created every time a user signs in

Ahhhh! I see. I thought you were running into a database constraint.

I think we could add a behaviour or callback to token generation that lets you modify the claims.