Custom Claim missing on new Google Social Connection Signup

Hello everyone!

TLDR; One of my rules that adds a custom claim to access tokens won’t work with a new Google signup, but works fine for regular Auth0 DB new signups.

I have a statistics website with a React FE and a .NET Core BE. So far, users have been creating new accounts/logging in as Auth0 DB users. Everything works fine - these signups use a combination of pre-registration hooks and a rule (see # 2 below) to handle custom claims/creating new users in my BE API.

I’ve recently setup the Google social connection so that users can signup/login w/ Google on my website. Two rules handle new Google Social Connection users

  1. Add new social user to my API - Check if a user is logging in for the first time and is from a social connection. If so, create the new user in my BE API and add my backend’s custom API ID to the user’s app_metadata.
  2. Add a custom claim to my Google user’s access token - Takes the custom API ID from the user’s app_metadata and adds it to the Google user’s access token

The first rule works fine. The second rule does not work the first time a user signs up/logs in with Social (Google). The claim does not get added to the token. If the user logs out and logs back in, the claim is added just fine.

Would appreciate any insight on this issue.

Update @ 01/01/2021 Still haven’t resolved this issue, bumping


If it helps, here is the rule code below:

function addMyBackendAppIdToAccessToken(user, context, callback) {
  var namespace = '';
  context.accessToken[namespace + 'myBackendAppId'] = user.app_metadata.myBackendAppId;
  callback(null, user, context);

Also, I installed the Real-time Webtask Logs so I could watch what was happening in real time. The ID is definitely coming back from my backend and the rule is running after the new user signs up with Google. The token that the user receives does not have the myBackendAppId claim though (the first time they log in/are redirected back to my site after sign up).

If they log out and then log back in, the new token DOES have the myBackendAppId claim. But I need it to be there when they first sign up (for obvious reasons).

Any help would be appreciated.

Thanks again!