Manage User Metadata and App Metadata

walter.adbe · December 19, 2023, 12:46am

Hi,

I have a issue with Auth0 user management.
Following is the user case.
I have three application is Auth0

Management API
Machine to Machine application
Single page application.

I also have two database connection

Database A
Database B
Note: Both the database connection in Auth0 are connected to a common database is AWS.

I am also making use of App_metadata and User_Metadata to build tokens.

I am observing the following behaviour.
When i login using Single page application [user@gmail.com], I am adding some information in App_metadata and User_metadata. Single page application is connected to Database A

When i login using Machine to Machine application [I have my own login logic in the backend and i am using Auth0 to authenticate], some information is added to User and App metadata.

The problem i face is in User management.
Application 1: When i login using SPA a user is added in User Management → Users [with user@gmail.com, Connection: Database A].
Application 2: When i login using M to M a user is added in User Management → Users [with user@gmail.com, Connection: Database B].
But when i login using Application 2, Application 1 App and User metadata is also getting updated which in-turn causes issue when new access token is issued.
Application 1 is creating a new access token using App and User metadata which was recently updated.
Will it be possible to make sure Application 1 and Application 2 [App and User metadata] remains distinct and only updated respective one.

rueben.tiow · December 19, 2023, 4:30pm

Hi @walter.adbe,

Thanks for reaching out to the Auth0 Community!

It appears that the way you have written your Post-Login Action script to append user_metadata and app_metadata properties to the access token, does not consider the condition where the user is authenticating against the SPA or M2M.

Consider using a conditional statement to check which app the user is authenticating against when appending custom claims. For example:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "http://yourNamespace/";
  if(event.authorization){
    if(event.client.name === 'SPA'){
      api.accessToken.setCustomClaim(`${namespace}user_metadata`, event.user.user_metadata)
      api.accessToken.setCustomClaim(`${namespace}app_metadata`, event.user.app_metadata)
    } else if (event.client.name === 'M2M'){
      api.accessToken.setCustomClaim(`${namespace}user_metadata`, event.user.user_metadata)
      api.accessToken.setCustomClaim(`${namespace}app_metadata`, event.user.app_metadata)
    }
  }
};

Doing it this way will only append custom claims based on the application the user logs into.

Please let me know if you have any questions.

Thanks,
Rueben

system · January 2, 2024, 4:31pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.