I am trying to authenticate a user and obtain their app_metadata from the main process of an electron app. Using webAuth.client.login() works fine, however, calling webAuth.client.userInfo() afterwards does not include the user’s app_metadata.
Unfortunately, webAuth.client.login() also does not include the userId, which prevents me from using the management api to fetch the user_profile instead.
The webAuth.client.login() uses the the /oauth/token endpoint which is part of the features available under the scope of API Authorization and OIDC conformance. The side effect of this is that non-standard/custom claims like app_metadata are not automatically included or mapped to the issued ID token.
You have to include custom claims explicitly through the means of a rule (read more about this at OIDC - User Profile Claims).
Using a rule you can add this information to the token (take in consideration that the claim type/name has to use a namespace so there’s not possibility to conflict with future OIDC claims):
function (user, context, callback) {
if (context.idToken) {
context.idToken"http://example.com/meta"] = user.app_metadata;
}
callback(null, user, context);
}
Also note that the user_id is already included in the ID token by default; it just uses the OIDC claim type of sub, which refers to the subject claim that represents the user identifier at the associated OIDC issuer (which is the Auth0 user_id).