Hi everyone,
I’m having some troubles connecting the dots for how to get app_metadata from a jwt token with Auth0. I am using Auth0 with an express app. I added to flollowing lines to a rule that I had in the auth0 dashboard:
var namespace = 'company';
if('company' in user.app_metadata) {
context.idToken[namespace]=user.app_metadata.company || "";
}
In my express app, I take a look at my request and response, and I can’t find anything with the the namespace “company”. Where should I be looking for this? I do use a jwt package that will take the jwt, verify it and add the decoded token info under req.user:
import jwt from 'express-jwt';
import jwksRsa from 'jwks-rsa';
app.use(jwt({
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: 'https://zzz.auth0.com/.well-known/jwks.json',
}),
audience: 'http://localhost:5000',
issuer: 'https://zzz.auth0.com/',
credentialsRequired: false,
algorithms: 'RS256'],
}));
My question is what am I missing here? I did enforce OIDC Conformant so I know the metadata won’t be in the token itself, but I just can’t figure out where to look.
Thanks!
The namespace should be on the form http://your.domain/company to avoid collisions with other claims.
var namespace = 'http://your.domain/company';
if('company' in user.app_metadata) {
context.idToken[namespace]=user.app_metadata.company || "";
}
Thanks for the feedback, I changed the namespace to my domain but I still can’t figure out where to find that field in either the req or res part of my express app.
Looking at my req headers, I see this:
![alt text][1]
Looking through the rest of those two objects, there isn’t an obviously a field that has the new namespace that I created. I bet I am just looking in the wrong spot, but I’d love to find out where I need to be looking. Thanks!
It is inside the token. Copy the authorization header, excluding Bearer, and head over to jwt.io and decode the token there.
Thanks for the feedback, I changed the namespace to my domain but I still can’t figure out where to find that field in either the req or res part of my express app.
Looking at my req headers, I see this:
![alt text][1]
Looking through the rest of those two objects, there isn’t an obviously a field that has the new namespace that I created. I bet I am just looking in the wrong spot, but I’d love to find out where I need to be looking. Thanks!
It is inside the token. Copy the authorization header, excluding Bearer, and head over to jwt.io and decode the token there.
Sorry for the long delay but I’m still having issues with this. I modified the rule to the following, and when I log in, I see that idToken is being set in my context when I use the Real-time Webtask Logs in Auth0. When I go to my express webserver, I get a token in my header that does not include this new field when I decode it on jwt.io. I also do not see any additional fields coming back in my header. The namespace here matches the audience I am using for auth0. How exactly do I add that field to the jwt token? Thanks for your help!
getPolicy(user, context, function(err, res, data) {
if (err) {
console.log('Error from Authorization Extension:', err);
return callback(new UnauthorizedError('Authorization Extension: ' + err.message));
}
if (res.statusCode !== 200) {
console.log('Error from Authorization Extension:', res.body || res.statusCode);
return callback(
new UnauthorizedError('Authorization Extension: ' + ((res.body && (res.body.message || res.body) || res.statusCode)))
);
}
console.log(user.app_metadata);
var namespace = 'http://localhost:5000';
if('company' in user.app_metadata) {
context.idToken[namespace]=user.app_metadata.company || "";
}
console.log(context);
// Update the user object.
user.groups = data.groups;
return callback(null, user, context);
});
According to this page , Auth0 will exclude non-namespaced claims. Could it be http://localhost:5000 is not approved as a namespace since it is not unique? And you should probably have a name in addition to the url as key.
if('company' in user.app_metadata) {
context.idToken'http://localhost:5000/company']=user.app_metadata.company || "";
}