Cannot get user_metadata

I have the following user_metadata:

image

When a user is authenticated I get all of the profile information such as “nickname” and “email” but the property “user_metadata” is missing from the user object. I also don’t see a property user_metadata so when I try to print out “user_metadata” it is undefined. I am overwhelmed by the Rules, Management API, Locks . . I am not sure what to use. Is all I want is to display the address of the user that I have stored in "“user_metadata”. Any idea what I should do in this react application after the following code to retrieve this metadata?

const { isAuthenticated, login, logout, user } = useAuth();
console.log(user);

How do I get the metadata that is stored as JSON on the Auth0 site?

Thank you.

1 Like

Hi @rkevinburton,

The two basic ways of doing this are: 1. adding claims to the user’s ID and / or access token(s) and 2. querying the /userinfo endpoint.

  1. requires that you write a Rule. As an example, here is a Rule that adds a fictitious uuid attribute from the user’s app_metadata to their ID token:
  1. requires that you get an access token and then call the /userinfo endpoint, requesting whatever user data you are interested in. I think this maybe works only for root profile attributes though.
1 Like

Thank you. For completeness Would you be able to elaborate on 2)? From the documentation it is not entirely clear to me how I get an access token. What do I use as URL to make the call? What does the response look like? If I call the /userinfo endpoint I am assuming that the access_token is part of the header information in the request. I tried running this in Postman but I just get some form of access_denied like:
POST /oauth/token HTTP/1.1

User-Agent: PostmanRuntime/7.25.0

Accept: */*

Cache-Control: no-cache

Postman-Token: e98ccbad-1390-4406-9c27-80f80482f5d4

Host: burton.auth0.com

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 65

Cookie: did=s%3Av0%3Ad8b1afe0-424d-11ea-a5f8-d1743ac01df8.I7dbHa4GAq5fhNjt1P%2FOxwe%2FGqtYzJ6mVhBj%2B%2BzQakQ; did_compat=s%3Av0%3Ad8b1afe0-424d-11ea-a5f8-d1743ac01df8.I7dbHa4GAq5fhNjt1P%2FOxwe%2FGqtYzJ6mVhBj%2B%2BzQakQ

grant_type=client_credentials&client_id=&client_secret=&audience=

HTTP/1.1 401 Unauthorized

Date: Wed, 03 Jun 2020 15:58:15 GMT

Content-Type: application/json

Content-Length: 60

Connection: keep-alive

Server: nginx

ot-tracer-spanid: 41b5fafd7be9b412

ot-tracer-traceid: 099c8fbe33f443ad

ot-tracer-sampled: true

ot-baggage-auth0-request-id: 455409deda7f967f6c2bb74c

X-Auth0-RequestId: 28382747aeccfcfb0005

X-RateLimit-Limit: 30

X-RateLimit-Remaining: 29

X-RateLimit-Reset: 1591199896

cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform

{"error":"access_denied","error_description":"Unauthorized"}

I know this sounds like a request for some hand-holding but I don’t know what specific call to make and in what order. Is there some kind of step by step recipe that I can follow?

1 Like

Also 1) seems to only expose a UUID property. How do I get all the key value pairs in the user_metadata for the user?

Thanks again.

The UUID thing was just an example. You need to modify the rule to add the metadata attributes you are interested in to your ID and / or access tokens. I have a couple more simple examples at the link below, but your best bet are the sample Rules that are available in the management console and the examples in the documentation:

You do need an access token to call /userinfo. In your example above, it looks like you are using the client credentials grant type (“grant_type=client_credentials”). You should be using the authorization code grant type instead.

Ref: Right way to call userinfo

1 Like

This was what was in the example I don’t know the options for possible "grant_type’s? What is the specific value for “authorization grant type”? I looked at the link and I couldn’t pick out a specific value there either.

Understood. Depending on which example or QuickStart you follow, you may or may not be using the correct grant type for what you are trying to do. Auth0 helps make a lot of this stuff much easier, but it is still important to understand the grant types available and when to use them.

For future-proofing purposes, I strongly recommend using only the “authorization code grant with PKCE” for normal applications and “client credentials” for machine-to-machine applications. These are the only two grant types in the proposed OAuth 2.1 spec.

The available flows are here: Authentication and Authorization Flows

Also have a look at the architecture scenarios which provide details for the most common use cases: Architecture Scenarios

1 Like

So again I must be missing the flow. Would you be able to give me a flow for how this proceeds? From my understanding of your post I not only need to get an auth token but now I need to get “client_credentials” to fill in the values for grant_type. Would you be able to elaborate on how this is done?

You need an access token to call /userinfo. You get an access token when you successfully call /authorize. You probably want to use the authorization code flow, or the authorization code flow with PKCE. After you do this, you will have an access token that you can use to call /userinfo.

But to be honest, I would just write a Rule to add the data you are looking for to the user’s ID token. Probably much simpler than trying to call /userinfo yourself.

I’d suggest grabbing the QuickStart for whatever stack you are using and have a look at the code there.

1 Like

Fair enough. And writing a Rule does work and will get me moving forward. I am pursuing this mainly for completeness. I am having a hard time getting the /userinfo route to work. I will try to see if /authorize works for me. Thanks for your help.

More clarification. The documentation mentions a call to /authorize but in the flow it shows a redirect to an established callback. I would like to make a call to /authorize using something like Postman and get a response back (hopefully that contains the access token). Is there somewhere I can turn to see how to make /authorize call with Postman?

There are ready-made Postman collections available here:

And the APIs are document here:

Authentication: https://auth0.com/docs/api/authentication

Management: Auth0 Management API v2

1 Like

I am trying the Postman collections but it seems like I get some form of “access denied” for all the calls, For instance when getting an access token this is the log of the request:

POST /oauth/token HTTP/1.1

User-Agent: PostmanRuntime/7.25.0

Accept: */*

Cache-Control: no-cache

Postman-Token: 544b9da1-0c18-43fc-9d06-500f08eb5cf1

Host: burton.auth0.com

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 161

Cookie: did=s%3Av0%3Ad8b1afe0-424d-11ea-a5f8-d1743ac01df8.I7dbHa4GAq5fhNjt1P%2FOxwe%2FGqtYzJ6mVhBj%2B%2BzQakQ; did_compat=s%3Av0%3Ad8b1afe0-424d-11ea-a5f8-d1743ac01df8.I7dbHa4GAq5fhNjt1P%2FOxwe%2FGqtYzJ6mVhBj%2B%2BzQakQ

grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&audience=

HTTP/1.1 403 Forbidden

Date: Fri, 05 Jun 2020 18:42:55 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Server: nginx

Vary: Accept-Encoding

ot-tracer-spanid: 57e336482becb8f2

ot-tracer-traceid: 733a3be3544f1aa2

ot-tracer-sampled: true

ot-baggage-auth0-request-id: ddcba9a0e0b91a1c0ca4a2b0

X-Auth0-RequestId: d6dc42553ce8948b12d6

X-RateLimit-Limit: 30

X-RateLimit-Remaining: 29

X-RateLimit-Reset: 1591382576

cache-control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform

Content-Encoding: gzip

{"error":"unauthorized_client","error_description":"Grant type 'client_credentials' not allowed for the client.","error_uri":"https://auth0.com/docs/clients/client-grant-types"}

Is the client_credentials grant type enabled for the client e9gzWGHw0P1E66adOm4kDCJwHgEZwDdZ?

Also, don’t post your client secret in the forums. It’s supposed to be a secret!

1 Like

Good point. Thank you. How do I know that client_credentials grant type is enabled?