Auth0 Home Blog Docs

Cannot return required scope



Hi, I use non-OIDC authentication and I am requesting scope user_metadata.
Also I have rule:

    function (user, context, callback) {
      user.user_metadata = user.user_metadata || {}; 
      user.user_metadata.signup = true;
      auth0.users.updateUserMetadata(user.user_id, user.user_metadata);
      callback(null, user, context);

But it does not return required scope.
Can you tell, please, what I am doing wrong?


If you’re using a non-OIDC client (a client with the ** Client Settings > Advanced Settings > OAuth > OIDC Conformant** switch disabled in the dashboard, you should be able to retrieve the user_metadata by adding it in the scope, for your authentication request.

As an example, if you’re using [Auth0.js] (, you can request it with:

var webAuth = new auth0.WebAuth({
  domain: {YOUR_AUTH0_DOMAIN}, 
  clientID: {YOUR_CLIENT_ID},
  redirectUri: {REDIRECT_URL}, 
  scope: 'user_metadata',
  responseType: 'token id_token'

You’ll get an opaque access token and a JWT id token which will contain the user_metadata.

If you want to give OIDC a try, you could fetch this same information with a rule to add custom claims to the token, such as:

function (user, context, callback) {
  const namespace = '';
  context.idToken[namespace + 'favorite_color'] = user.favorite_color;
  context.idToken[namespace + 'preferred_contact'] = user.user_metadata.preferred_contact;
  callback(null, user, context);


I will try to use OIDC, but first would like try without it.

Auth0 client settings:
![alt text][1]

Auth0 connection settings:
![alt text][2]

![alt text][3]

I uploaded not full response, from the Auth0, because it had my private info. But it can be seen that it does not have user_metadata and also in does not exists in scope list. Can it be a bug?


I already have add scope in the request:

    auth0 = new auth0.WebAuth({
        domain: AUTH_CONFIG.domain,
        clientID: AUTH_CONFIG.clientId,
        redirectUri: AUTH_CONFIG.callbackUrl,
        audience: `https://${AUTH_CONFIG.domain}/userinfo`,
        responseType: 'token id_token',
        scope: 'openid email profile user_metadata'

And it does not return in response + in the response can be seen list of returned scopes: scope : “openid email profile”. So I think it is a bug.


As shown in the documentation, if you include the audience, the request will still be run through the OIDC conformant pipeline.

Any authentication requests made with
an audience parameter will use the new
pipeline, and all other requests will
continue to work as usual.

This pipeline will be used if any of the following are true:

  • An authentication request was
    initiated with an audience parameter.
  • The client being used is flagged as
    OIDC Conformant (available at
    Dashboard > Clients > Settings > Show
    advanced settings > OAuth > OIDC
    Conformant flag).

Can you try with?

auth0 = new auth0.WebAuth({
   domain: AUTH_CONFIG.domain,
   clientID: AUTH_CONFIG.clientId,
   redirectUri: AUTH_CONFIG.callbackUrl,
   responseType: 'token id_token',
   scope: 'openid user_metadata'