How to get user metadata from python

Hello friends, I’m having difficulties fetching user metadata for my Python application. I’ve done a lot of research and tried various suggestions, but either the metadata doesn’t come through, or some error occurs, as in the example below, which raises an exception in the .client_credentials command. I appreciate any help.

from auth0.authentication import GetToken
from auth0.management import Auth0

domain = 'mydomain.auth0.com'
client_id = 'myclientid'
client_secret = 'myclientsecret'

get_token = GetToken(domain, client_id, client_secret=client_secret)
token = get_token.client_credentials('https://{}/api/v2/'.format(domain))
mgmt_api_token = token['access_token']
auth0 = Auth0(domain, token['access_token'])

Hi @mrctito,

Welcome to the Auth0 Community!

It looks like you are on the right track with using the Management API to get the user’s user_metadata. Specifically, you will want to make a request to the GET /api/v2/users/{id} endpoint.

Looking at your code snippet, I noticed that the exception being thrown in the .client_crendentials command looks to be because the audience is not pointing to your Management API identifier.

It should have the following syntax: https://yourDomain.region.auth0.com/api/v2

Could you please make these corrections and see how it goes for you?

Thanks,
Rueben

Thank you!

I solve this issue, but I have another problem related.

I am having trouble understanding and using the API permissions.

To avoid mistakes that I might make, I am using the API TEST option on the Auth0 website, and what I do is take the access_token and ask for it to be decoded on the jwt.io website.

The problem is that the permissions of my APIs are never filled.

And I noticed that the same thing happens with the TODO api.

I am using a Regular Web application, and my APIs have the “Enable RBAC” options and “Add Permissions in the Access Tokens” checked.

But I tested the Auth0 Management API with them and things work, and it doesn’t come with the permissions but the SCOPE.

Thank you.

Hi @mrctito,

Thanks for following up.

Have you made sure that the audience parameter that was passed in your login request (/authorize) matches the the API that the user was granted permissions?

Thanks,
Rueben

Hi!

Yes, I have. But look, I’m running it through the “Test” option on the dashboard, so I’m not logging in through my application. I am inside the Auth0 website.

I test through the Auth0 site and decode using jwt.io. My application is not involved.

Thank you.

1 Like

Hi @mrctito,

Thanks for providing me with this information.

Looking at your screenshots, it seems like you are performing the Client Credentials flow instead of the Authorization Code flow.

In the Client Credentials flow, this requires no user interaction and is meant for machine-to-machine applications to get an access token for your application.

Whereas the Authorization Code flow requires the user to enter their email and password to log in. Once they have logged in successfully, they will get an access token.

You can verify this information by checking your response_pergunta_ws (Test Application) and seeing that it is a machine-to-machine application type. This is also justified by the decoded token, which has the "gty": 'clilent-credentials' claim.

If you want to get the user_metadata in the access token, you must perform the Authorization Code flow.

Please refer to our Call Your API Using the Authorization Code Flow documentation.

To clarify, you should start your login request by calling the following:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope={scope}&
    audience={apiAudience}&
    state={state}

Please let us know how this goes for you.

Thanks,
Rueben

1 Like

Dear Sir, I am inexperienced in this matter; let me show you how I am doing it. Could you tell me if this is equivalent to what you instructed?

oauth = OAuth()

oauth.register(
    name='auth0',
    client_id=os.getenv('AUTH0_CLIENT_ID'),
    client_secret=os.getenv('AUTH0_CLIENT_SECRET'),
    client_kwargs={"scope": "openid profile email",},
    server_metadata_url=f"https://{os.getenv('AUTH0_DOMAIN')}/.well-known/openid-configuration",
    access_token_url=f"https://{os.getenv('AUTH0_DOMAIN')}/oauth/token",
    authorize_url=f"https://{os.getenv('AUTH0_DOMAIN')}/authorize",
    api_base_url=f"https://{os.getenv('AUTH0_DOMAIN')}/",
)

@app.get('/login')
async def login(request: Request):
    redirect_uri = request.url_for('auth')
    return await oauth.auth0.authorize_redirect(request, redirect_uri)

THANK YOU!

1 Like

Hi @mrctito,

Thanks for following up.

Yes, it looks good to me, I see that you are calling the oauth.auth0.authorize_redirect() method :clap:!

I will share our Auth0 Python SDK Quickstarts: Add login to your Python Flask app as a reference that you can compare your code with.

Thanks,
Rueben

I appreciate your assistance, but I apologize if I’m having trouble comprehending. Nevertheless, my application still isn’t returning the credentials.

Additionally, one thing I haven’t grasped is how I can test the API using the “Test API” option from the dashboard and view the credentials. Because when I try that approach as I explained initially, the credentials aren’t being provided either.

Thank you.

Hi @mrctito,

Thanks for the reply.

It seems like you are still performing the Client Credentials flow using the Dashboard’s Test tab in the API settings. Could you please confirm?

Have you gotten a chance to check that the response_type=code in your login request? Try using your browser’s network activity to verify the request parameters.

To reiterate, the “Test API” from the dashboard performs a Client Credentials flow. As mentioned previously, you must perform the Authorization code flow to get the user’s permissions in the access token.

I recommend reviewing the different grant type flows. Just to summarize, I recommend using the Authorization Code flow to get your user’s permissions in the access token. To do this, you must send the user to the login page with the oauth.auth0.authorize_redirect( redirect_uri=url_for("callback", _external=True) command.

Finally, I would urge you to see how our Python Sample App logs the user in.

Alternatively, you could download the Sample App and test it locally to see how it behaves.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.