How to get more metadata in JWT using Auth0.js v8?

I had been happily using Lock and v7 and getting various metadata (user_metadata, app_medatada, etc.) in the JWT token from my SPA to my API endpoint.

I’m moving to using Auth0.js and v8, which isn’t going well. I understand that even for apps that aren’t marked OIDC compliant, only OIDC scopes are encoded in the JWT.

I don’t understand what the workarounds for this new limitation are. I suppose I could build serverside logic to get the user profile, but that will slow things down and add auth0 complexity on the server endpoint which I’d rather not have.

I read on various bugs and tickets that it’s also possible to do so with rules. Any pointers as to how to do that? My feeble attemp:

function (user, context, callback) {
  user.user_metadata = user.user_metadata || {};
  user.app_metadata = user.app_metadata || {};
  user.drink = "lemonade"; = "soccer";
  callback(null, user, context);

isn’t working because it seems user.user_metadata is null by the time it gets to this function.

There’s also been suggestions to use loginWithResourceOwner, but that isn’t documented AFAICT and appears to be on the path to deprecation.

Any help appreciated.

Please read through the following document which outlines how to add custom claims to the id_token or access_token: OpenID Connect Scopes

Thanks for this link, it seems almost useful.

I’ve created and enabled a rule based on this, but I don’t understand how to capture the stuff that is normally in the profile. A line like:

context.idToken[namespace + 'app_meta_data'] = user. app_metadata

doesn’t work because the user object is stripped of attributes like app_metadata before it gets passed to the function, as far as I can tell.

Metadata should be present in the user object in Rules. Could you please try adding a console.log statement at the beginning of the Rule, and monitor the output using the Realtime Webtask logs extension.


Please let me know whether you can see user_metadata and app_metadata in the user profile.

Hmm, I do indeed see user_metadata and app_metadata there. Will dig in more. Thank for the debugging advice.