Problems with Custom Claims

Hello

I’m trying to add a custom claims to OIDC and it seems to be unable to pull from the user.

This is the rule I wrote for it from the guide:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'groups'] = user.user_metadata.groups;
  callback(null, user, context);
}

Any ideas on how to proceed?

This is the Raw JSON of the USER

    {
        "kind": "admin#directory#user",
        "id": "REDACTED",
        "etag": "REDACTED",
        "primaryEmail": "cy@borg.dev",
        "name": "REDACTED",
        "isAdmin": true,
        "isDelegatedAdmin": false,
        "lastLoginTime": "2019-07-20T15:15:50.000Z",
        "creationTime": "2019-03-23T10:56:51.000Z",
        "agreedToTerms": true,
        "suspended": false,
        "archived": false,
        "changePasswordAtNextLogin": false,
        "ipWhitelisted": false,
        "emails": [
            {
                "address": "cy@borg.dev",
                "primary": true
            },
            {
                "address": "cy@borg.dev.test-google-a.com"
            },
            {
                "address": "REDACTED"
            },
            {
                "address": "REDACTED"
            }
        ],
        "phones": [
            {
                "value": "REDACTED",
                "type": "mobile"
            }
        ],
        "is_admin": true,
        "is_suspended": false,
        "is_ipWhitelisted": false,
        "tou_accepted": true,
        "email": "cy@borg.dev",
        "email_verified": true,
        "given_name": "REDACTED",
        "family_name": "REDACTED",
        "picture": "https://lh3.googleusercontent.com/-D-Y3z5r6wyU/AAAAAAAAAAI/AAAAAAAAAAA/ACHi3rdRM44-ytY1im6y5jH6ASfaY6nAcw/photo.jpg",
        "locale": "en-GB",
        "groups": [
            "Admin",
            "Work"
        ],
        "updated_at": "2019-07-20T22:53:33.790Z",
        "user_id": "google-apps|cy@borg.dev",
        "nickname": "cy",
        "identities": [
            {
                "provider": "google-apps",
                "user_id": "cy@borg.dev",
                "connection": "borg-dev",
                "isSocial": false
            }
        ],
        "created_at": "2019-07-20T21:10:48.253Z",
        "last_ip": "90.254.116.32",
        "last_login": "2019-07-20T22:53:33.789Z",
        "logins_count": 6,
        "blocked_for": [],
        "guardian_authenticators": []
    }

Your rule only adds the custom claims to the ID Token; doing so doesn’t mean they’re also persisted in the user store. This would require an additional method call like this:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  user.user_metadata = user.user_metadata || {};
  context.idToken[namespace + 'groups'] = user.user_metadata.groups;
  callback(null, user, context);

  // persist in user store
  auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
    .then(function(){
      callback(null, user, context);
    })
    .catch(function(err){
      callback(err);
    }); 
}

Update to this reply: this approach using user_metadata is only needed if the groups were stored in user_metadata, which isn’t the case, because they’re right in the root object of the user. I had just overlooked this when providing this reply. But keeping this reply here for reference.

I get this response.

{
  "error": "access_denied",
  "error_description": "Cannot read property 'groups' of undefined"
}

Add this:

user.user_metadata = user.user_metadata || {};

as first line. Adjusted original reply accordingly. But it seems that the user doesn’t have any assigned groups in the first place. So the custom claim will not hold any values, at least not for the user you tried before.

Btw: are the groups something you’re assigning via your own custom logic, or are these the groups from the Authorization Extension or RBAC Core features (Role-Based Access Control)?

Hi

Now the error disappears. But the user profile is empty.

The user I showed above has values for the groups which I would like to add to the claim.

What I’m basically looking to do is set the groups in Gsuite and when I make an oauth call with Auth0 it should pick this value up and the application can set the correct permissions based on the value of this claim.

Sorry, I missed in your initial post that the groups are right in the root of your user object.

Then it’s even easier, no need to user metadata:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'groups'] = user.groups;
  callback(null, user, context);

So your initial rule was almost right, it was just looking up the groups from the wrong node (user_metadata) instead of the root.

Thank you.

I’m able to pull the correct information now.

2 Likes

Nice, glad it worked!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.