App metadata in resource owner

I’m trying to obtain a token via the resource owner grant, as follows:

POST https://<auth0_domain>/oauth/token

{
"grant_type":"http://auth0.com/oauth/grant-type/password-realm",
"client_id":"<client id>",
"password":"<pwd>",
"scope":"openid name email app_metadata identities",
"username":"<some user>",
"realm":"<some connection>"
}

When I invoke this, it returns with a token, but with an additional property:

"scope": "openid email"

Why is it returning only openid and email, while I requested app_metadata also?

:wave: @ashiraz

The oauth/token endpoint is compliant with the OpenID Connect specification. As per the OIDC-compliant pipeline, only a small number of attributes are marked as standard claims and only these will be returned in the token, like the openid email you are seeing. Any additional claims need to be added by manual mapping and following a namespaced format to avoid possible collisions with standard claims. These custom claims can only be added using a Rule. The rule will look something like this:

function (user, context, callback) {

  var namespace = 'https://example.com/';
  context.idToken[namespace + 'user_metadata'] = user.user_metadata;

  callback(null, user, context);
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.