Setting AppMetadata via Action after SAML Authentication

sslotnick · December 9, 2022, 11:45pm

Hi, I’ve been hitting a weird error that I can easily reproduce but am struggling to understand. I have a SAML enterprise connection set up (using Okta as the IdP but via generic SAML connection). I then have a rule that copies group information from the SAML assertion and into the app_metadata (because I found other posts saying top level user data set via SAML mapping was not available in Actions).

So far so good… now I also have a Post Login action that does some other logic and sets different fields in the app_metadata using the api.user.setAppMetadata interface. When this action fires and calls to set the app metadata field, I get a Failed Login. BUT, the metadata IS actually set on the user when I look in the Auth0 console. So if I attempt to login again with the same user, it works. It appears that any time the app metadata is actually mutated by the action it causes a failure like the one below. Additionally, this only seems to happen when logging in via a SAML provider – using a Username-Password connection works just fine.

{
  "date": "2022-12-09T23:07:16.412Z",
  "type": "f",
  "description": "Internal",
  "connection": "my-okta",
  "connection_id": "XXXXXXXXX",
  "client_id": "XXXXXXXXXXX",
  "client_name": "XXXXXXX",
  "ip": "XXXXXXXXX",
  "user_agent": "Firefox 106.0.0 / Mac OS X 10.15.0",
  "details": {
    "body": {},
    "qs": {
      "state": "GpQOXh6qPpOs09bXEwNXswneZx7vCEpe"
    },
    "connection": "my-okta",
    "error": {
      "message": "Internal",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    },
    "session_id": "8T4lyni3E0zvjWyTdJEiMvkkw6sxfout",
    "stats": {
      "loginsCount": 13
    }
  },
  "hostname": "XXXXXXXXX.auth0.com",
  "user_id": "samlp|my-okta|XXXXXXXXXX",
  "user_name": "XXXXXXXXXX",
  "strategy": "samlp",
  "strategy_type": "enterprise",
  "audience": "https://XXXXXXXXXX.auth0.com/userinfo",
  "scope": [
    "openid",
    "profile",
    "email"
  ],
  "log_id": "90020221209230719264555787809657665959683577496675025042",
  "_id": "90020221209230719264555787809657665959683577496675025042",
  "isMobile": false,
  "id": "90020221209230719264555787809657665959683577496675025042"
}

Any ideas? This seems to suppress logs from the Action as well so it’s hard to see what’s going on and I haven’t been able to find anything referring to this Internal error description.

david_wisecarver · December 15, 2022, 12:12am

Hi @sslotnick,

Welcome to Auth0 Community!

I believe that error description may actually be coming from an Action or Rule that you have setup in your tenant. I have checked internally (no pun intended) on this, and it does not look like that is one of our error messages. We would recommend using the Real-Time Webtask extension along with some console.log statements to test and see if “Internal” is maybe an unexpected value for a custom error message being raised in a Rule or Action.

sslotnick · December 16, 2022, 11:54pm

Hi @david_wisecarver, Thanks for the follow-up and the tip about the debugger. I wasn’t able to find any action or rule failing to complete or catching any exceptions. I did see the following error on several failures though:

3:35:54 PM:
 (node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 unpipe listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit
3:35:54 PM:
 (node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 close listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit
(node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 finish listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit
(node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 unpipe listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit
(node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 error listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit
(node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 close listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit
(node:18) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 finish listeners added to [Socket]. Use emitter.setMaxListeners() to increase limit

I couldn’t find anything in the docs about this, do you know what would cause it?

Thanks,
–Steve

david_wisecarver · December 17, 2022, 12:23am

Hi Steve,

I have looked internally into the Possible EventEmitter memory leak detected. message and it is actually not related to any extensibility code you may have, and we have a backlog item to address having these appear in console log output.

As for the "Internal" error description, do you have any error handling in Actions or Rules that would potentially return that word? Is it also possible to test by disabling Actions and Rules one at a time to try to isolate where the issue may be coming from?

sslotnick · December 21, 2022, 12:17am

Hi @david.wisecarver, I think I found the problem. There’s nothing in our action code that throws an exception with “Internal” as far as I can tell. It only seems to happen when there is a colon : in the key name. For example, we set values such as this:

api.user.setAppMetadata("category:subcat", [val1, val2, val3]);

I was able to reproduce using a simple Action with no other code. When I remove the : it works but adding it back causes the first login to fail. When that happens there are no logs – neither those real time logs nor in the Logs section of the dashboard. When the issue occurs the “Actions” tab of the dashboard logs don’t appear.

sslotnick · January 3, 2023, 11:19pm

Hi @david_wisecarver, Does my previous post make sense? It seems like a bug within the platform and, if so, we’d love to have a fix so we can re-deprecate our usage of Rules.

david_wisecarver · January 4, 2023, 4:39pm

Hi @sslotnick,

Sorry for not getting back to you sooner on this. I actually attempted to reproduce what you have there and did not run into any issues whether I included a colon or not. Here is the app_metadata for the user I tested this on:

I am wondering if there may be an issue with the values in the array that could be causing the error. Would you be able to DM me a .har file that captures a failed login with this Action enabled?

konrad.sopala · January 8, 2024, 12:11pm

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!