Today we encountered an issue in our dev environment. After some digging it turned out that all the custom claims on our access_token were gone. So I started debugging the rule that provided these claims. Turns out that user.app_metadata was now undefined, though a new field user.metadata had the same content as user.app_metadata did previously.
Was this an intentional breaking change or is this a bug? Our production environment still works with the exact same rule contents.
As far as I know, only I encountered it because no one else worked on this area before I made a fix to the rule. I can remove the fix and try with a few different users if necessary.
This happened every time from when I started to notice it. Since I adjusted the rule, I do not know if this still is an issue.
Update 2:
This just occurred now on our production environment: apptus.eu.auth0.com
Same behavior as dev environment. Seems to affect all users the same.
Thanks for notifying us of this issue - the engineering team is already working on a fix. In the meantime, please use the following at the beginning of your Rule to accommodate for both user.app_metadata and user.metadata:
var app_metadata = user.app_metadata || user.metadata;
//use `app_metadata` in Rule
Thanks @csv and @martin.ma - we have reproduced this on our end, with our engineering team working on a fix. Please see my answer for the workaround in the meantime.