OIDC-conformant no user_metdadata recieved

OIDC-conformant is enabled in my application and my scope contain user_metadata
Scope = “openid email profile user_metadata app_metadata picture”

but iam not recieving any user_metadata in claims.
im developing using c#
string userMetadata = ((ClaimsIdentity)User.Identity).FindFirst(“user_metadata”)?.Value
return always null, Any help?

Hello @samer13us,

You can add data from user_metadata and app_metadata to your tokens by using custom claims.

1 Like

can you provide me sample code ?

If you go to ‘Rules’ in your tenant and click ‘Add Rule’, you’ll get a page of templates for many common scenarios. The code for the templates are also available here:

A typical “add attribute to claim” rule looks something like (I don’t know javascript so there may be better ways to do this):

function (user, context, callback) {
  if (user.app_metadata.my_attribute) {
    context.accessToken['https://www.foo.bar/my_attribute'] = user.app_metadata.my_attribute; 
  callback(null, user, context);

sorry, but no clear steps exists no example from a to z To show the case

Hello @samer13us,

There are plenty of well documented examples in the documentation, but here is one of my own. If you have, for example, the following in app_metadata:

"app_metadata": {
    "roles": [

Then the following rule will add the list of roles to the ID token:

function (user, context, callback) {
  // Adds roles list to idToken.
  user.app_metadata.roles = user.app_metadata.roles || [];
  context.idToken["https://mydomain.com/claims/roles"] = user.app_metadata.roles; 
  callback(null, user, context);

Dear this is what i did:
i added new rule →

function (user, context, callback) {
  const namespace = 'https://mydomain.auth0.com/';
  context.idToken[namespace + 'picture'] = user.picture;
  context.idToken[namespace + 'color'] = user.user_metadata.color;
  callback(null, user, context);

but still when logged in no user_metadata received in ((ClaimsIdentity)User.Identity)?
how to extract the user_metadata from ((ClaimsIdentity)User.Identity) not from calling API https://mydomain.auth0.com/api/v2/userinfo/" + nameIdentifier)

OK finally i solve it by doing the following :
1.go to your dashboard
2.click on rules
3.add new rule (empty rule)
4.copy/past this script
Note don’t use your auth0 app domain ,use your original domain

   function (user, context, callback) {
  var namespace = 'https://www.originaldomain.com/';   
   if (context.idToken && user.user_metadata) {
    context.idToken[namespace + 'user_metadata'] = user.user_metadata;
  if (context.idToken && user.app_metadata) {
    context.idToken[namespace + 'app_metadata'] = user.app_metadata;
  callback(null, user, context);

6. you will receive the user_metadata with ((ClaimsIdentity)User.Identity)
this is in C# :

string userMetadata = ((ClaimsIdentity)User.Identity).FindFirst("https://www.originaldomain.com/user_metadata")?.Value;

Hello @samer13us,

I’m glad you were able to get this working. Just a couple notes:

  1. The namespace is just a URL formatted string and can be anything. It does not need to be a functioning URL. As you have noted, it is common practice to use a string based on your own domain name since this should always be unique,
  2. It is a best practice to minimize the amount of data you include in your tokens. Including all of app_metadata and user_metadata will work, but the recommended practice is to include just those attributes your application requires.

All the best.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.