Saving custom claims to app_metadata

I have created an enterprise connection to allow users to authenticate on a third-party OIDC IDP. This IDP generates identity tokens with custom claims. I need to store those claims in the user’s app_metadata at each login. It should be easy, shouldn’t it?

My first option was to enable automated synchronization. According to this document, the automated synchronization can only be done on " user profile attributes", not on app_metadata attributes.

My second option was to create an action to update the app_metadata, but in an action I cannot access the idToken information coming from the third party Identity Provider in either the event or API objects. I have tried api.idToken["https://namespace/claim"], but this returns null. I assume this is because this object is to set custom claims, not to get them.

My third option was to create a rule to retrieve the custom claims from the third-party IDP identity token, and store them in the app_metadata. I thought this should be possible based on this reply (which talks about a similar use case for third-party SAML assertions). In this case I am unable to find any suitable attribute to get the information in the third-party identity token neither in the user object, nor in the context one. The references to context.idToken[“https://namespace/claim”] return null.

It is difficult for me to accept there is no way to store information from custom identity token claims into app_metadata when the user logs in.

What am I missing?

I have found a big mistake in my question, a confirmation, and a solution.

The big mistake is stating the information from the third-party IDP is not saved. It is saved in the user profile (out of the metadata fields). It can be seen in the “Identity Provider Attributes” section of the user details, as well as in the “Raw JSON” section.

I have been able to confirm that this information cannot be retrieved via actions via event.user.["https://namespace/claim"]

It can however be used in rules via user.["https://namespace/claim"]

The solution is to use rules instead of actions (in this case, while actions do not enable this functionality).

PS: in case you find it strange that the IDP claims are stored replacing dots with colons (just like me), check this thread.

1 Like

Thanks for providing an update!