How can I make app_metadata available in /userinfo endpoint?

sdegroot · May 18, 2017, 7:51pm

We have a very detailled level of authorization set-up for our API. Currently using the authorization-extension of auth0 to manage all of these authorizations. It can very well be that a single user receives up to 20 groups, 10 roles and 100 permissions. We need all of this information available in the API to do granular authorization. However, placing all of this information in the token could generate very large tokens, which the documentation also discourages. So, instead, we’ve turned the ‘Persistence’ switch on in the authorization-extension configuration

Now, after receiving an access token, when I do a call to https://example.eu.auth0.com/userinfo I would expect to get the app_metadata section in there as well. However this the actual response:

{"sub":"auth0|591xxx131a3","name":"sdegroot@mydomain","nickname":"sdegroot","picture":"https://s.gravatar.com/avatar/0b20cee90fb35eb54a6426808b89aa01?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fsd.png","updated_at":"2017-05-18T10:55:38.425Z"}

While I am using this as auth configurations for Lock:

auth: {
        redirectUrl: 'http://localhost:2000/auth0.html',
        responseType: 'token',
        sso: true,
        params: {
             audience: 'my-api-audience-name',
             scope: 'openid profile test:test groups permissions roles'
        }
}

The interesting thing, is in the documentation it mentions this:

You can also store the authorization
context information in the user
profile. The data will be stored in
the user’s app_metadata and you can
then use the Management API or the
/userinfo endpoint to retrieve this
information after the user has logged
in.

However this doesn’t seem to work. How do you guys recommend me to proceed with this?

Thanks in advance!

jmangelo · May 23, 2017, 4:26pm

The documentation is incomplete as that was supported as part of the legacy flows, but now when using the new flows that adhere to the OpenID Connect specification (using API authorization implies the use of the new flows).

More specifically, the metadata is no longer returned in calls to the user information endpoint. See the comparison table at this documentation page.

For this scenario you can obtain the user metadata by going through the Management API instead.

kurtmilam · June 25, 2017, 2:51am

The documentation needs a lot of work. I burned hours yesterday trying to figure out how to get metadata returned in a token (auth0-js v8.8.0 on an SPA).

Is there a plan in place for bringing the documentation up to date so that users/customers don’t have to stumble around for hours in order to find documentation that’s correct?

kurtmilam · June 25, 2017, 2:55am

On a related note, in order to access user and app metadata in an id token (I’m writing a SPA using auth-0 js v8.8.0), you’ll have to create a rule, first, such as the following:

function (user, context, callback) {
  const namespace = 'https://yourdomain.com/';
  context.idToken[namespace + 'user_metadata'] = user.user_metadata;
  context.idToken[namespace + 'app_metadata'] = user.app_metadata;
  callback(null, user, context);
}

Now, include user_metadata and app_metadata in your scope, and the fields will be included in the id token with the key names https://yourdomain.com/user_metadata and https://yourdomain.com/app_metadata, respectively.

I burned a couple of hours trying to figure this out yesterday due to auth0’s poor and in many cases out of date documentation, and the experience has made me somewhat skeptical of auth0’s solutions.

carol · September 23, 2017, 11:55pm

I have to agree with you that the documentation is inconsistent and often out of date. I am still struggling with getting user metadata and very confused about which method I should be using. Your answer helped, and that is the route I am taking so thank you!

reedjordo · November 21, 2017, 10:59pm

I agree with @kurtmilam I’ve burned way too many hours on this simple issue. I still don’t know what the recommended solution is for accessing user_metadata through a SPA.

sdegroot · November 21, 2017, 11:20pm

In the end, we decided to add the meta_data to the token using Rules.

function (user, context, callback) {
  context.accessToken"https://platform.caple.eu/partnerId"] = user.app_metadata.partner_id;
  context.accessToken"https://platform.caple.eu/country"] = user.app_metadata.country;
  context.accessToken"https://platform.caple.eu/roles"] = user.app_metadata.authorization.roles;
  
  callback(null, user, context);
}

Topic		Replies	Views
Created Extension with Roles and Permissions but How can Front-end Get This info Help	5	4602	December 17, 2018
How to get app_metadata and user_metadata THE RIGHT WAY Help jwt , auth0 , login , access-token	2	17296	October 21, 2019
Retrieve app_metadata on the first login Help rules , app_metadata , authorization-extens , login	5	6254	March 2, 2018
Additional user information Help	5	4275	January 11, 2019
Accessing Auth Extension Metadata in User Profile Help user-metadata , auth , user-profile	1	4013	March 2, 2018

How can I make app_metadata available in /userinfo endpoint?

Related Topics