Rule API changed without notice

Help
, , ,
1

Today we encountered an issue in our dev environment. After some digging it turned out that all the custom claims on our access_token were gone. So I started debugging the rule that provided these claims. Turns out that user.app_metadata was now undefined, though a new field user.metadata had the same content as user.app_metadata did previously.

Was this an intentional breaking change or is this a bug? Our production environment still works with the exact same rule contents.

Any insight into this issue would be very welcome

Update:
We are using auth0-js - v8.7.0 (GitHub - auth0/auth0.js: Auth0 headless browser sdk)

  • The auth requests affected use the following endpoint, with parameters something like this:
  • https://apptus-dev.eu.auth0.com/authorize
  • response_type=“id_token token”
  • response_mode=fragment
  • prompt=none
  • + scope, client_id, redirect_uri, state, nonce, audience
  • Database connection only
  • As far as I know, only I encountered it because no one else worked on this area before I made a fix to the rule. I can remove the fix and try with a few different users if necessary.
  • This happened every time from when I started to notice it. Since I adjusted the rule, I do not know if this still is an issue.

Update 2:
This just occurred now on our production environment: apptus.eu.auth0.com
Same behavior as dev environment. Seems to affect all users the same.

2

Hey man, I saw the same issue started to happen: Expected rule behaviour change `user.app_metadata` becoming `user.metadata` sometimes - Auth0 Community

3

@csv @martin.ma Can you both please provide the following for me to investigate:

  • What API calls were made to authenticate?
  • What connection were the users part of (database connection, Facebook, Google, etc)
  • Does this happen for all user or only a select few?
  • Does this happen all the time or only occasionally?
4

@prashant I updated the question with the details I have. Let me know if you need further information for now.

5

Thanks for notifying us of this issue - the engineering team is already working on a fix. In the meantime, please use the following at the beginning of your Rule to accommodate for both user.app_metadata and user.metadata:

var app_metadata = user.app_metadata || user.metadata;

//use `app_metadata` in Rule
6

Hi @prashant, for my case the details are as follows:

  • API Call: renewAuth (a.k.a. silent authentication, made through auth0.js - 8.4.0)
  • Connections: the issue happened for at least both ‘google-oauth2’ and ‘facebook’
  • Happened for all users. Could still be reproduced after removing the user and signing up again with the same user’s social identity.
  • Usually after the 2nd or 3rd silent-auth call.
7

Thanks @csv and @martin.ma - we have reproduced this on our end, with our engineering team working on a fix. Please see my answer for the workaround in the meantime.

8

Yeah, that’s similar to what I changed the rule to use.
Glad to know that this was a bug and not an undocumented breaking change :slight_smile:

1 Like
9

Hi @prashant, is there an estimated date when the fix will be rolled out?

1 Like