App_metadata not being returned in token from /oauth/token even though rule exists


I’m creating a JMETER test inside a gitlab pipeline, the domain I am testing takes a JWT in the Authorisation Header (Bearer) in the request.

I’m using the following curl command to authenticate and get a token back:

curl --request POST
–url ‘
–header ‘content-type: application/x-www-form-urlencoded’
–data ‘grant_type=password’
–data ‘username=BruceWayne’
–data ‘password=BatMan123’
–data ‘audience=’
–data ‘scope=read:current_user’
–data ‘client_id=fMHp…MHho’
–data ‘client_secret=3b-joVidd…dibANvI’

And I have the following rule set up to add app_metadata to the token:

function (user, context, callback) {
const namespace = ‘’;
context.idToken[namespace + ‘authorities’] = user.app_metadata.roles;
context.idToken[namespace + ‘locale’] = user.app_metadata.itc_locale.toUpperCase();
context.idToken[namespace + ‘user_name’] = user.user_name;
callback(null, user, context);

A token is returned minus the rule controlled app_metadata. What am I missing or why is it ignoring the rule?

Any ideas will be greatly appreciated.



Hi @richard.sanigar,

Try updating your rule to add the metadata to the Access Token instead of the ID Token.

function (user, context, callback) {
  const namespace = ‘’;
  context.accessToken[namespace + ‘authorities’] = user.app_metadata.roles;
  context.accessToken[namespace + ‘locale’] = user.app_metadata.itc_locale.toUpperCase();
  context.accessToken[namespace + ‘user_name’] = user.user_name;
  callback(null, user, context);

Unlike the Authorization Code flow, the Resource Owner Password flow only passes an Access Token and not an ID Token.

Wow, thank you Stephanie, that has helped a lot
Kind regards

1 Like

Glad to hear that helped!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.