Auth0 Home Blog Docs

Expected rule behaviour change `user.app_metadata` becoming `user.metadata` sometimes



We have a rule that adds a unique UUID to any user that is logging in for the first time:

function(user, context, callback) {
  var request = require('request@2.56.0');
  var uuid = require('uuid@2.0.1');

  user.app_metadata = user.app_metadata || {};
  if (!user.app_metadata.uuid) {
  } else {
    callback(null, user, context);

  function updateUuid() {
    var newUuid = uuid.v4();

          url: auth0.baseUrl + '/users',
          headers: {
            Authorization: 'Bearer ' + auth0.accessToken
          qs: {
            search_engine: 'v2',
            q: 'app_metadata.uuid:"' + newUuid + '"'
        function(err, response, body) {
          if (err) return callback(err);
          if (response.statusCode !== 200) return callback(new Error(body));

          var data = JSON.parse(body);
          if (data.length === 0) {
            user.app_metadata.uuid = newUuid;
            user.app_metadata.given_name = user.given_name;
            user.app_metadata.family_name = user.family_name;

            auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
                .then(function() {
                  user.uuid = newUuid;
                  // context.idToken.uuid = newUuid; // somehow this stopped working, too
                  callback(null, user, context);
                .catch(function(err) {
          } else {
            console.log("UUID " + newUuid + " already exists. Trying another one.");
            // The new UUID already exists, try again

On line 6, we could determine whether the current user is a new user or had already logged in before (thus having been assigned a uuid already). So the rule only assigned uuid to new users.
This had been working for months, until suddenly it stopped working sometime last week. What we discovered through debugging is that for existing users who had already been assigned with uuid, when doing renewAuth (silent authentication) the user.app_metadata would sometimes become missing and an identical user.metadata object would appear instead. This is unexpected as such behaviour is not documented in ‘’ at all. Note that the key change (from app_metadata to metadata) usually happens from the 2nd or 3rd renewAuth request.

Time of the rule behaviour change might have coincided with us testing/installing the ‘Auth0 Authorization’ extension. However, even after disabling the extension, the behaviour did not revert. So we not not really sure whether the added Extension is the cause.


hmm~ just found out that another user also posted about the same issue: There is no answer to his post yet.


Investigating in the other post - will close this due to duplication.