OIDC-conformant no user_metdadata recieved

samer13us · December 6, 2018, 10:08am

Dears,
OIDC-conformant is enabled in my application and my scope contain user_metadata
Scope = “openid email profile user_metadata app_metadata picture”

but iam not recieving any user_metadata in claims.
im developing using c#
string userMetadata = ((ClaimsIdentity)User.Identity).FindFirst(“user_metadata”)?.Value
return always null, Any help?

markd · December 6, 2018, 1:04pm

Hello @samer13us,

You can add data from user_metadata and app_metadata to your tokens by using custom claims.

samer13us · December 7, 2018, 10:52pm

can you provide me sample code ?

markd · December 7, 2018, 11:07pm

If you go to ‘Rules’ in your tenant and click ‘Add Rule’, you’ll get a page of templates for many common scenarios. The code for the templates are also available here:

A typical “add attribute to claim” rule looks something like (I don’t know javascript so there may be better ways to do this):

function (user, context, callback) {
  if (user.app_metadata.my_attribute) {
    context.accessToken['https://www.foo.bar/my_attribute'] = user.app_metadata.my_attribute; 
  }
  callback(null, user, context);
}

samer13us · December 8, 2018, 1:11am

sorry, but no clear steps exists no example from a to z To show the case

markd · December 8, 2018, 1:34pm

Hello @samer13us,

There are plenty of well documented examples in the documentation, but here is one of my own. If you have, for example, the following in app_metadata:

"app_metadata": {
    "roles": [
        "role_one",
        "role_two"
    ]
}

Then the following rule will add the list of roles to the ID token:

function (user, context, callback) {
  // Adds roles list to idToken.
  user.app_metadata.roles = user.app_metadata.roles || [];
  context.idToken["https://mydomain.com/claims/roles"] = user.app_metadata.roles; 
  callback(null, user, context);
}

samer13us · December 9, 2018, 8:50am

Dear this is what i did:
i added new rule →

function (user, context, callback) {
  const namespace = 'https://mydomain.auth0.com/';
  context.idToken[namespace + 'picture'] = user.picture;
  context.idToken[namespace + 'color'] = user.user_metadata.color;
  callback(null, user, context);
}

but still when logged in no user_metadata received in ((ClaimsIdentity)User.Identity)?
how to extract the user_metadata from ((ClaimsIdentity)User.Identity) not from calling API https://mydomain.auth0.com/api/v2/userinfo/" + nameIdentifier)

samer13us · December 9, 2018, 10:24am

OK finally i solve it by doing the following :
1.go to your dashboard
2.click on rules
3.add new rule (empty rule)
4.copy/past this script
Note don’t use your auth0 app domain ,use your original domain

   function (user, context, callback) {
  var namespace = 'https://www.originaldomain.com/';   
   if (context.idToken && user.user_metadata) {
    context.idToken[namespace + 'user_metadata'] = user.user_metadata;
  }
  if (context.idToken && user.app_metadata) {
    context.idToken[namespace + 'app_metadata'] = user.app_metadata;
  }
  callback(null, user, context);
}

5.Save
6. you will receive the user_metadata with ((ClaimsIdentity)User.Identity)
this is in C# :

string userMetadata = ((ClaimsIdentity)User.Identity).FindFirst("https://www.originaldomain.com/user_metadata")?.Value;

markd · December 9, 2018, 3:10pm

Hello @samer13us,

I’m glad you were able to get this working. Just a couple notes:

The namespace is just a URL formatted string and can be anything. It does not need to be a functioning URL. As you have noted, it is common practice to use a string based on your own domain name since this should always be unique,
It is a best practice to minimize the amount of data you include in your tokens. Including all of app_metadata and user_metadata will work, but the recommended practice is to include just those attributes your application requires.

All the best.

system · January 8, 2019, 3:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.