App_metadata not being fetched from google-apps?

I have a Google Enterprise login, where a requirement is that the user is member of a specific group (in the G Suite) to be authorized and allowed access.

We have a bunch of users this works for, and the way it has been set up for them is by adding them to the specific group in the G Suite Admin Console. This group affiliation has then automatically become available to Auth0, somehow.

My user, on the other hand, was set up and granted access to this particular service a bit later on – perhaps after some significant changes (OICD?) and whenever I try logging in I get ‘Wrong credentials’. I am logged into Google [on the correct account] in my browser, so the only “credential” that is wrong, is the G Suite group affiliation that isn’t available via Auth0.

Looking at the other users that has access, their Auth0 user profiles look just like mine. There are no hard-coded groups, all required metadata is indeed being fetched from Google.

Now, when I hard-code the following into the app_metadata field on my cached Auth0 user, it all works.

{
  "groups": [
    "special_group"
  ]
}

This issue is not about me wanting metadata to be available in the idToken as so many others seem to need in this forum, it’s about Auth0 not having access to relevant fields on my G Suite user when doing the authorization check itself, before I get the login response.

I want to make such hard-coded values unnecessary for future users (we don’t control our clients’ enterprise systems, obviously). Is there some kind of Auth0 interface where I can re-request metadata from my user’s connections, making them available for future authorization control checks? And why isn‘t it synced in the first place?

I appreciate any help!

Hey there @hein, I wanted to reach out and let you know that after confirming with support when setting up a connection, there are checkboxes for Extended Attributes. Of the of these checkboxes is for groups. When you get a second can you confirm that you do have that enabled, otherwise it pull details for groups. If you do freshly enable it, please reauthenticate with the groups boxed checked and it should pull the corresponding props. Please let me know if this helps you in your quest, thanks!

Hi @James.Morrison, and thanks for your reply!

The configuration for the connection looks like this (not sure if the other options I included in the screenshot are relevant):

So unless Users API is required for this, it seems like everything is configured correctly?

Hi again!

We set up the Google Apps connection again, from scratch. My Google groups are now being synced, and hopefully it will work for future users too! :slight_smile:

1 Like

I’m glad it all worked out @hein! Please let us know if you run into any future issues and we’ll be happy to help, thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.