I have a Google Enterprise login, where a requirement is that the user is member of a specific group (in the G Suite) to be authorized and allowed access.
We have a bunch of users this works for, and the way it has been set up for them is by adding them to the specific group in the G Suite Admin Console. This group affiliation has then automatically become available to Auth0, somehow.
My user, on the other hand, was set up and granted access to this particular service a bit later on – perhaps after some significant changes (OICD?) and whenever I try logging in I get ‘Wrong credentials’. I am logged into Google [on the correct account] in my browser, so the only “credential” that is wrong, is the G Suite group affiliation that isn’t available via Auth0.
Looking at the other users that has access, their Auth0 user profiles look just like mine. There are no hard-coded groups, all required metadata is indeed being fetched from Google.
Now, when I hard-code the following into the app_metadata
field on my cached Auth0 user, it all works.
{
"groups": [
"special_group"
]
}
This issue is not about me wanting metadata to be available in the idToken as so many others seem to need in this forum, it’s about Auth0 not having access to relevant fields on my G Suite user when doing the authorization check itself, before I get the login response.
I want to make such hard-coded values unnecessary for future users (we don’t control our clients’ enterprise systems, obviously). Is there some kind of Auth0 interface where I can re-request metadata from my user’s connections, making them available for future authorization control checks? And why isn‘t it synced in the first place?
I appreciate any help!