Auth0 Home Blog Docs

Rule API changed without notice

rules
app_metadata
metadata
breaking-change

#1

Today we encountered an issue in our dev environment. After some digging it turned out that all the custom claims on our access_token were gone. So I started debugging the rule that provided these claims. Turns out that user.app_metadata was now undefined, though a new field user.metadata had the same content as user.app_metadata did previously.

Was this an intentional breaking change or is this a bug? Our production environment still works with the exact same rule contents.

Any insight into this issue would be very welcome


Update:
We are using auth0-js - v8.7.0 (https://github.com/auth0/auth0.js)

  • The auth requests affected use the following endpoint, with parameters something like this:
  • https://apptus-dev.eu.auth0.com/authorize
  • response_type=“id_token token”
  • response_mode=fragment
  • prompt=none
  • + scope, client_id, redirect_uri, state, nonce, audience
  • Database connection only
  • As far as I know, only I encountered it because no one else worked on this area before I made a fix to the rule. I can remove the fix and try with a few different users if necessary.
  • This happened every time from when I started to notice it. Since I adjusted the rule, I do not know if this still is an issue.

Update 2:
This just occurred now on our production environment: apptus.eu.auth0.com
Same behavior as dev environment. Seems to affect all users the same.


#2

Hey man, I saw the same issue started to happen: https://community.auth0.com/questions/4707/expected-rule-behaviour-change-userapp-metadata-be


#3

@csv @martin.ma Can you both please provide the following for me to investigate:

  • What API calls were made to authenticate?
  • What connection were the users part of (database connection, Facebook, Google, etc)
  • Does this happen for all user or only a select few?
  • Does this happen all the time or only occasionally?

#4

@prashant I updated the question with the details I have. Let me know if you need further information for now.


#5

Thanks for notifying us of this issue - the engineering team is already working on a fix. In the meantime, please use the following at the beginning of your Rule to accommodate for both user.app_metadata and user.metadata:

var app_metadata = user.app_metadata || user.metadata;

//use `app_metadata` in Rule

#6

Hi @prashant, for my case the details are as follows:

  • API Call: renewAuth (a.k.a. silent authentication, made through auth0.js - 8.4.0)
  • Connections: the issue happened for at least both ‘google-oauth2’ and ‘facebook’
  • Happened for all users. Could still be reproduced after removing the user and signing up again with the same user’s social identity.
  • Usually after the 2nd or 3rd silent-auth call.

#7

Thanks @csv and @martin.ma - we have reproduced this on our end, with our engineering team working on a fix. Please see my answer for the workaround in the meantime.


#8

Yeah, that’s similar to what I changed the rule to use.
Glad to know that this was a bug and not an undocumented breaking change :slight_smile:


#9

Hi @prashant, is there an estimated date when the fix will be rolled out?


#10