Universal Login (lock v11) custom scope

Howdy :cowboy_hat_face: ! Thank you very much for this awesome product!

I am having troubles in setting up the Lock from the Auth0 page for retrieving user_metadata. I followed the instructions on the documentation and set the params variable. However, the Login process keeps returning access_denied.

This is the settings of my Auth0 page for the Lock

<!DOCTYPE html>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Sign In with Auth0</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />

<script src="https://cdn.auth0.com/js/lock/11.20/lock.min.js"></script>
    // Decode utf8 characters properly
    var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
    config.extraParams = config.extraParams || {};
    var connection = config.connection;
    var prompt = config.prompt;
    var languageDictionary;
    var language;

    if (config.dict && config.dict.signin && config.dict.signin.title) {
    languageDictionary = { title: config.dict.signin.title };
    } else if (typeof config.dict === 'string') {
    language = config.dict;
    var loginHint = config.extraParams.login_hint;
    var colors = config.colors || {};

    // Available Lock configuration options: https://auth0.com/docs/libraries/lock/v11/configuration
    var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
    auth: {
        redirectUrl: config.callbackURL,
        responseType: (config.internalOptions || {}).response_type ||
        (config.callbackOnLocationHash ? 'token' : 'code'),
        params: {
            scope: 'openid email user_metadata app_metadata picture',  // I need the user_metadata and app_metadata
    additionalSignUpFields: [
            name: "full_name",
            placeholder: "Enter your full name"
        name: "organization",
        placeholder: "Enter your Organization name"
    assetsUrl:  config.assetsUrl,
    allowedConnections: connection ? [connection] : null,
    rememberLastLogin: !prompt,
    language: language,
    languageDictionary: languageDictionary,
    theme: {
        primaryColor:    colors.primary ? colors.primary : 'green'
    prefill: loginHint ? { email: loginHint, username: loginHint } : null,
    closable: false,
    defaultADUsernameFromEmailPrefix: false,

    if(colors.page_background) {
    var css = '.auth0-lock.auth0-lock .auth0-lock-overlay { background: ' +
                colors.page_background +
                ' }';
    var style = document.createElement('style');




As you can see from the code above, I set the params with a specific scope of user_medata and app_metadata. I need both of them for my application.
The signup page works fine and the values get stored correctly, but the login redirect returns the following error:

{"statusCode":403,"description":"Invalid state","name":"AnomalyDetected","code":"access_denied"}

Final question: from the code above, how can I write into the app_metadata?

Thank you very much in advance :smile:

You cannot do this with an access token issued to a user. Only user_metadata are meant to be set by a user him/herself.

app_metadata requires a call to the management API, and thus an M2M approach. You’d need to setup a backend as M2M client application that calls the Auth0 Management API and handles the change requests.

Thank you for this answer! I’ll do the set of app_metadata from my backend.

On the other hand, I still have the same problem even removing the app_metadata from my scope. Any idea? I attached a screenshot to clarify a bit. The Signup works fine but not the redirect login

That seems unrelated to the scopes, I suggest to search in the forum for anomaly detection (haven’t checked all posts myself yet): http://community.auth0.com/search?q=AnomalyDetected