Auth0 Home Blog Docs

Lock to return app_metadata

lock
app_metadata
auth0-lock

#1

What I’m trying to achieve

I want to use User Details view to set user’s role using app_metadata and then in my Angular app, use Auth0 Lock to determine what to show the user, based on the stored role.
I do not need to modify the role from the app, as per app_metadata concept.

What I’ve tried

In my Auth service, in Angular, I initialise my client:

auth0 = new auth0.WebAuth({
    clientID: 'xxx',
    domain: 'mydomain.auth0.com',
    responseType: 'token id_token',
    audience: 'https://myurl/userinfo',
    redirectUri: `${environment.appUrl}/login-callback`,
    scope: 'openid name picture app_metadata'
  });

...

// And when I need to login
this.auth0.authorize();

What I get in response is:

{
  "sub": "facebook|1234567890"
}

Note that it doesn’t include any of the claims, including requested name, picture or app_metadata. If I add profile claim to the scope, I get the name, picture etc. but not the app_metadata.

I would greatly appreciate if somebody pointed me in the right way to getting the app_metadata to work the way described in the first paragraph.


#2

Perhaps I’m approaching the problem from a wrong angle. Can anyone comment on that?


#3

In order to align more closely with the OIDC specs, the id_token now doesn’t contain any non-OIDC claims, e.g. app_metadata. You do have the option of explicitly setting custom claims in the id_token via a rule; this is outlined further in the following doc:

https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims


#4

Thanks for your reply. I actually looked at that page, but as I see it, the instructions described there outline the process of creating custom claims along with setting values to them. However I don’t require setting any claims, rather only retrieving them.
The code block shows how to set them programmatically, however I would like to set them from the Auht0 dashboard. Is there a way to specify a namespace for claims from the dashboard or should I just use a prefix for them?


#5

Thanks for your reply. I actually looked at that page, but as I see it, the instructions described there outline the process of creating custom claims along with setting values to them. However I don’t require setting any claims, rather only retrieving them.
The code block shows how to set them programmatically, however I would like to set them from the Auht0 dashboard. Is there a way to specify a namespace for claims from the dashboard or should I just use a prefix for them?


#6

@toomas The claims set via the Rule are only added to the relevant token (id_token or access_token), and are not persisted in the user profile. E.g. you can simply retrieve some user_metadata attribute, and add it to the id_token, for you to access and use in your frontend:

...
   context.idToken[namespace + 'language'] = user.user_metadata.language;

The namespace or custom claims for the tokens cannot be set in the dashboard; they must be done in a Rule. The namespace can be any identifier you wish to use, commonly your application URL.


#7

Do I understand this correctly that it is not possible to retrieve user_metadata at once with the initial authorization callback (when I get the id_token)?


#8

You can set the namespaced claim in the Rule, to return your user_metadata in the id_token

...
    context.idToken[namespace + 'user_metadata'] = user.user_metadata;

#9