Auth0 Home Blog Docs

Retrieve app_metadata on the first login



I’m using the Authorization extension to manage my groups and roles meaning update data on user app_metadata.
The problem is it only takes effect after the user first login. when the first login occurs it returns an access token that does not contain the user app_metadata (the required groups and roles) and only then update the user app_metadata using the auth0 rules. I guess it happens because the access token is JWT and it is stateless so when I use this access token to retrieve the user info it doesn’t contain the groups and permissions.

My flow :

client login to auth0 -> client gets access token -> client send access token to the backend -> backend verify the user info from auth0.

How can I get the user app_metadata on first login?


Take a look at the following documentation regarding sending custom claims in the tokens:


I have spent the last 6 hours trying to figure out the same.
By evaluating the results of the /userinfo endpoint I have managed to get an hint… so I went back to the morning experiments and… FIXED right away!

Ok, let me TLDR the various auth0 documentation: you cannot retrieve app_metadata directly in your token as the names of the various variables in the tokens must be

  1. standard claims
  2. namespaced claims

app_metadata is neither so it won’t go through… to make it work you have to give it another name. So for example, by adapting my rule, which takes care of both annotating the new profile and producing the JWT

 var namespace = 'https://not_quite_your_auth0_domain/';
 context.idToken[namespace + 'settings_family/specific_setting'] = {
    arbitrary: "object",
    goes: "there"

You need not to save or anything, just modify the context.idToken object and you’re good to go.

Differently from what the documentation seems to suggest here and there (maybe outdated?) you do not need to modify your ‘scope’ settings to have it work.

Note the use of underlines. Some characters are apparently invalid, will get mangled differently according to context and will most likely fail to get through the rule. In particular, ‘.’ is not a valid character differently from what Custom claims seems to suggest with their ‘namespacing’ example.

Let me know if it works for you!

Auth0: I hope you are going to step up your documentation very soon now you got that cash.


Thanks for your comments, but unfortunately it’s not very helpful.

The way you suggested means that I can’t use the Authorization extension. I am using the authorization extension to get the user roles and groups so I can validate the user has sufficient permissions to access my DB. The groups and roles are saved automatically by the extension on the app_metadata .


You say you didn’t need to change scope. How was the auth0 call in the end?