Problems with Custom Claims

upodroid · July 20, 2019, 11:09pm

Hello

I’m trying to add a custom claims to OIDC and it seems to be unable to pull from the user.

This is the rule I wrote for it from the guide:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'groups'] = user.user_metadata.groups;
  callback(null, user, context);
}

Any ideas on how to proceed?

This is the Raw JSON of the USER

    {
        "kind": "admin#directory#user",
        "id": "REDACTED",
        "etag": "REDACTED",
        "primaryEmail": "cy@borg.dev",
        "name": "REDACTED",
        "isAdmin": true,
        "isDelegatedAdmin": false,
        "lastLoginTime": "2019-07-20T15:15:50.000Z",
        "creationTime": "2019-03-23T10:56:51.000Z",
        "agreedToTerms": true,
        "suspended": false,
        "archived": false,
        "changePasswordAtNextLogin": false,
        "ipWhitelisted": false,
        "emails": [
            {
                "address": "cy@borg.dev",
                "primary": true
            },
            {
                "address": "cy@borg.dev.test-google-a.com"
            },
            {
                "address": "REDACTED"
            },
            {
                "address": "REDACTED"
            }
        ],
        "phones": [
            {
                "value": "REDACTED",
                "type": "mobile"
            }
        ],
        "is_admin": true,
        "is_suspended": false,
        "is_ipWhitelisted": false,
        "tou_accepted": true,
        "email": "cy@borg.dev",
        "email_verified": true,
        "given_name": "REDACTED",
        "family_name": "REDACTED",
        "picture": "https://lh3.googleusercontent.com/-D-Y3z5r6wyU/AAAAAAAAAAI/AAAAAAAAAAA/ACHi3rdRM44-ytY1im6y5jH6ASfaY6nAcw/photo.jpg",
        "locale": "en-GB",
        "groups": [
            "Admin",
            "Work"
        ],
        "updated_at": "2019-07-20T22:53:33.790Z",
        "user_id": "google-apps|cy@borg.dev",
        "nickname": "cy",
        "identities": [
            {
                "provider": "google-apps",
                "user_id": "cy@borg.dev",
                "connection": "borg-dev",
                "isSocial": false
            }
        ],
        "created_at": "2019-07-20T21:10:48.253Z",
        "last_ip": "90.254.116.32",
        "last_login": "2019-07-20T22:53:33.789Z",
        "logins_count": 6,
        "blocked_for": [],
        "guardian_authenticators": []
    }

mathiasconradt · July 21, 2019, 6:39pm

Your rule only adds the custom claims to the ID Token; doing so doesn’t mean they’re also persisted in the user store. This would require an additional method call like this:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  user.user_metadata = user.user_metadata || {};
  context.idToken[namespace + 'groups'] = user.user_metadata.groups;
  callback(null, user, context);

  // persist in user store
  auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
    .then(function(){
      callback(null, user, context);
    })
    .catch(function(err){
      callback(err);
    }); 
}

Update to this reply: this approach using user_metadata is only needed if the groups were stored in user_metadata, which isn’t the case, because they’re right in the root object of the user. I had just overlooked this when providing this reply. But keeping this reply here for reference.

upodroid · July 22, 2019, 9:41am

I get this response.

{
  "error": "access_denied",
  "error_description": "Cannot read property 'groups' of undefined"
}

mathiasconradt · July 22, 2019, 10:46am

Add this:

user.user_metadata = user.user_metadata || {};

as first line. Adjusted original reply accordingly. But it seems that the user doesn’t have any assigned groups in the first place. So the custom claim will not hold any values, at least not for the user you tried before.

Btw: are the groups something you’re assigning via your own custom logic, or are these the groups from the Authorization Extension or RBAC Core features (Role-Based Access Control)?

upodroid · July 22, 2019, 11:32am

Hi

Now the error disappears. But the user profile is empty.

The user I showed above has values for the groups which I would like to add to the claim.

What I’m basically looking to do is set the groups in Gsuite and when I make an oauth call with Auth0 it should pick this value up and the application can set the correct permissions based on the value of this claim.

mathiasconradt · July 22, 2019, 12:31pm

Sorry, I missed in your initial post that the groups are right in the root of your user object.

Then it’s even easier, no need to user metadata:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'groups'] = user.groups;
  callback(null, user, context);

So your initial rule was almost right, it was just looking up the groups from the wrong node (user_metadata) instead of the root.

upodroid · July 22, 2019, 5:33pm

Thank you.

I’m able to pull the correct information now.

mathiasconradt · July 22, 2019, 5:36pm

Nice, glad it worked!

system · August 6, 2019, 5:36pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.