Auth0 Home Blog Docs

How to access app_metadata when user logs in

Hello there, i’m trying to access the app_metadata & user_metadata field on the user object when a user is authenticated. I would like to know the best way to have this work.

Hello @pariola,

You can include in your id_token and / or access_tokens selected fields from metadata using custom claims, or you can use the management API to read a user’s metadata.

2 Likes

You say this, but… I am not sure you are answering the question being asked. It’s easy enough to use rules to add information to the app_metadata and user_metadata, but it isn’t always returned in an accessToken depending on how that accessToken is generated. What I want to know is what is required to get that information to return as part of the accessToken? For example, one of our developers gets an access token using auth0-js and sends the authentication request with a response_type, audience and scope. Another developer is using passport-auth0 and passportjs to do the very same thing. But only the first developer’s accessToken has the metadata in it. I feel like it is has to do with the response_type because the first developer is using “token” and the second developer can’t change it because passport hardcodes it to “code”. If we could change the response_type to “token” for the second developer, would that return the metadata we are looking for in the accessToken? Or is there a different tree we should be barking up?

Hello @athomas,

In your first use case, response type token implies the use of the implicit grant flow, which results in an access token being sent directly back to the app via the front channel.

In your second use case, response type code implies you are using the authorization code grant flow. The authorization code that is returned is not an access token (AT). The authorization code needs to be exchanged for an AT at the authorization server (AS).

As I mentioned previously, getting metadata into the access token requires using rules to add custom claims.

Note that it is now recommended to avoid using the implicit grant flow due to inherent weaknesses in that flow. It is preferable to use auth code + PKCE for single page apps.