Cannot return required scope

seqq86 · February 14, 2018, 2:23am

Hi, I use non-OIDC authentication and I am requesting scope user_metadata.
Also I have rule:

    function (user, context, callback) {
      user.user_metadata = user.user_metadata || {}; 
      user.user_metadata.signup = true;
    
      auth0.users.updateUserMetadata(user.user_id, user.user_metadata);
      callback(null, user, context);
    }

But it does not return required scope.
Can you tell, please, what I am doing wrong?

ricardo.batista · February 15, 2018, 1:41am

If you’re using a non-OIDC client (a client with the ** Client Settings > Advanced Settings > OAuth > OIDC Conformant** switch disabled in the dashboard, you should be able to retrieve the user_metadata by adding it in the scope, for your authentication request.

As an example, if you’re using [Auth0.js] (GitHub - auth0/auth0.js: Auth0 headless browser sdk), you can request it with:

var webAuth = new auth0.WebAuth({
  domain: {YOUR_AUTH0_DOMAIN}, 
  clientID: {YOUR_CLIENT_ID},
  redirectUri: {REDIRECT_URL}, 
  scope: 'user_metadata',
  responseType: 'token id_token'
});
webAuth.authorize();

You’ll get an opaque access token and a JWT id token which will contain the user_metadata.

If you want to give OIDC a try, you could fetch this same information with a rule to add custom claims to the token, such as:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'favorite_color'] = user.favorite_color;
  context.idToken[namespace + 'preferred_contact'] = user.user_metadata.preferred_contact;
  callback(null, user, context);
}

seqq86 · February 15, 2018, 3:07pm

I will try to use OIDC, but first would like try without it.

Auth0 client settings:
![alt text][1]

Auth0 connection settings:
![alt text][2]

Response:
![alt text][3]

I uploaded not full response, from the Auth0, because it had my private info. But it can be seen that it does not have user_metadata and also in does not exists in scope list. Can it be a bug?

seqq86 · February 15, 2018, 3:14pm

I already have add scope in the request:

    auth0 = new auth0.WebAuth({
        domain: AUTH_CONFIG.domain,
        clientID: AUTH_CONFIG.clientId,
        redirectUri: AUTH_CONFIG.callbackUrl,
        audience: `https://${AUTH_CONFIG.domain}/userinfo`,
        responseType: 'token id_token',
        scope: 'openid email profile user_metadata'
    });

And it does not return in response + in the response can be seen list of returned scopes: scope : “openid email profile”. So I think it is a bug.

ricardo.batista · February 15, 2018, 3:57pm

As shown in the documentation, if you include the audience, the request will still be run through the OIDC conformant pipeline.

Any authentication requests made with
an audience parameter will use the new
pipeline, and all other requests will
continue to work as usual.

This pipeline will be used if any of the following are true:

An authentication request was
initiated with an audience parameter.
The client being used is flagged as
OIDC Conformant (available at
Dashboard > Clients > Settings > Show
advanced settings > OAuth > OIDC
Conformant flag).

Can you try with?

auth0 = new auth0.WebAuth({
   domain: AUTH_CONFIG.domain,
   clientID: AUTH_CONFIG.clientId,
   redirectUri: AUTH_CONFIG.callbackUrl,
   responseType: 'token id_token',
   scope: 'openid user_metadata'
});