Metadata missing in rules (sometimes)

We’re using rules to apply a couple of custom claims to our tokens. This works as expected, except for this flow:

  • Register with username/password
  • Logout
  • Use a social login (google in our case) to login with the same email

At this point, this user should have multiple identities (username/password and social) and some user and app metadata.

Unfortunately, the id token provided by WebAuth (using parseHash in this particular case) does not return app_metadata or user_metadata. In fact, these objects are not available in the rule that we use to apply the custom claims. The sub’s are identical in these scenarios, and in other flows it does contain the correct metadata.

Weirdly enough, it does work when the user tries again by refreshing the page. Note: this will use checkSession instead of parseHash, because the user was redirected to a different page in the meantime. parseHash does work correctly for username/password accounts though.

This turned out to be a bug in one of the other rules we’ve made. Sorry, this could be closed.