We’re using rules to apply a couple of custom claims to our tokens. This works as expected, except for this flow:
- Register with username/password
- Logout
- Use a social login (google in our case) to login with the same email
At this point, this user should have multiple identities (username/password and social) and some user and app metadata.
Unfortunately, the id token provided by WebAuth
(using parseHash
in this particular case) does not return app_metadata
or user_metadata
. In fact, these objects are not available in the rule that we use to apply the custom claims. The sub
’s are identical in these scenarios, and in other flows it does contain the correct metadata.
Weirdly enough, it does work when the user tries again by refreshing the page. Note: this will use checkSession
instead of parseHash
, because the user was redirected to a different page in the meantime. parseHash
does work correctly for username/password accounts though.