Howdy 
! Thank you very much for this awesome product!
I am having troubles in setting up the Lock from the Auth0 page for retrieving user_metadata. I followed the instructions on the documentation and set the params variable. However, the Login process keeps returning access_denied.
This is the settings of my Auth0 page for the Lock
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Sign In with Auth0</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
<script src="https://cdn.auth0.com/js/lock/11.20/lock.min.js"></script>
<script>
// Decode utf8 characters properly
var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
config.extraParams = config.extraParams || {};
var connection = config.connection;
var prompt = config.prompt;
var languageDictionary;
var language;
if (config.dict && config.dict.signin && config.dict.signin.title) {
languageDictionary = { title: config.dict.signin.title };
} else if (typeof config.dict === 'string') {
language = config.dict;
}
var loginHint = config.extraParams.login_hint;
var colors = config.colors || {};
// Available Lock configuration options: https://auth0.com/docs/libraries/lock/v11/configuration
var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
auth: {
redirectUrl: config.callbackURL,
responseType: (config.internalOptions || {}).response_type ||
(config.callbackOnLocationHash ? 'token' : 'code'),
params: {
scope: 'openid email user_metadata app_metadata picture', // I need the user_metadata and app_metadata
}
},
additionalSignUpFields: [
{
name: "full_name",
placeholder: "Enter your full name"
},
{
name: "organization",
placeholder: "Enter your Organization name"
}
],
assetsUrl: config.assetsUrl,
allowedConnections: connection ? [connection] : null,
rememberLastLogin: !prompt,
language: language,
languageDictionary: languageDictionary,
theme: {
primaryColor: colors.primary ? colors.primary : 'green'
},
prefill: loginHint ? { email: loginHint, username: loginHint } : null,
closable: false,
defaultADUsernameFromEmailPrefix: false,
});
if(colors.page_background) {
var css = '.auth0-lock.auth0-lock .auth0-lock-overlay { background: ' +
colors.page_background +
' }';
var style = document.createElement('style');
style.appendChild(document.createTextNode(css));
document.body.appendChild(style);
}
lock.show();
</script>
</body>
</html>
As you can see from the code above, I set the params with a specific scope of user_medata and app_metadata. I need both of them for my application.
The signup page works fine and the values get stored correctly, but the login redirect returns the following error:
{"statusCode":403,"description":"Invalid state","name":"AnomalyDetected","code":"access_denied"}
Final question: from the code above, how can I write into the app_metadata?
Thank you very much in advance 
