I have created an enterprise connection to allow users to authenticate on a third-party OIDC IDP. This IDP generates identity tokens with custom claims. I need to store those claims in the user’s app_metadata at each login. It should be easy, shouldn’t it?
My first option was to enable automated synchronization. According to this document, the automated synchronization can only be done on " user profile attributes", not on app_metadata attributes.
My second option was to create an action to update the app_metadata, but in an action I cannot access the idToken information coming from the third party Identity Provider in either the event or API objects. I have tried api.idToken["https://namespace/claim"], but this returns null. I assume this is because this object is to set custom claims, not to get them.
My third option was to create a rule to retrieve the custom claims from the third-party IDP identity token, and store them in the app_metadata. I thought this should be possible based on this reply (which talks about a similar use case for third-party SAML assertions). In this case I am unable to find any suitable attribute to get the information in the third-party identity token neither in the user object, nor in the context one. The references to context.idToken[“https://namespace/claim”] return null.
It is difficult for me to accept there is no way to store information from custom identity token claims into app_metadata when the user logs in.
What am I missing?