Enable user_metadata and app_metadata on JWT token

pedro · March 13, 2018, 5:03pm

Hey,

Before the start of Auth0’s deprecation plan, we were able to get the app_metadata and user_metadata from an Auth0 User inside the payload. For example:

{
"iss": "https://test.eu.auth0.com/",
"app_metadata": {
    "roles": [
      "some-role"
    ]
  },
  "user_metadata": {
    "first_name": "John",
    "last_name": "Doe"
  }

Now, for new tenants, this is not happening anymore. We really need a way to enable this for an old customer while we deal with all the changes needed on our server to stop expecting those fields. How can we enable that?

fergus.h.zhou · March 14, 2018, 9:29am

Hi,

Facing same problem, I use https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims to set User profile claims and scope, and I can use /userinfo to get the app_metadata and user_metadata.
But when I use express-jwt to decode the id_token, it only has the default parameters like email, sub, name. Seems app_metadata and user_metadata still not added to the id_token. How can I get them using JWT decode?

Thanks.

mikahb · March 14, 2018, 1:50pm

This would be useful for me as well.

richard.dowinton · March 16, 2018, 3:37pm

Most likely you are now using an OIDC-conformant flow, in which case you need to namespace the claims in the ID token as described here. This is because both user_metadata and app_metadata don’t belong to the OIDC set of standard claims.

If you have in fact namespaced your claims, could you please share HAR file (please remove any sensitive details such as password) of a session where this problem occurs?

Please upload it to a cloud storage service (e.g. Google drive), and share the link with us. Feel free to restrict access to the link for only @auth0.com email addresses using Sharelock.io.

pedro · March 16, 2018, 4:00pm

Indeed Richard, but I’m only using an OIDC-conformant flow because it’s a new tenant and Auth0 is forcing me to it. I changed the setting on the client to not force that, but it still is not working - https://www.dropbox.com/s/4yx5a470hwqzxia/Screenshot%202018-03-16%2016.58.41.png?dl=0.

I understand I can use the claims with the namespace and so on, but we don’t want to change our backend right now to handle this. We’ll do that later, but now, I just need this to work like it was working a couple of months ago.

Is there a way to go back and enable those options for us? To keep using the metadata as we were using before for a specific client or tenant? That’s what’s important to us.

Thanks!
Pedro

konrad.sopala · August 16, 2019, 11:03am

Hey there!

Sorry for the delay in response. We’re doing our best in providing you with best developer support experience out there, but sometimes there are too many questions to handle. Sorry for the inconvenience!

Do you still require further assistance from us?

konrad.sopala · August 19, 2019, 8:54am