I managed to find the cause of this issue.
According to this doc, any custom user fields should be placed in the “user_profile” field in the returned profile object. Therefore in my Get Profile Script instead of returning
{
"resource_id": "..."
}
I need to return
{
"user_profile": {
"resource_id": "..."
}
}
and my rules can now seeing the updated values in user.user_profile.resource_id.
I think this behaviour is very confusing for two reasons:
- When the user first logs in, any top level fields returned from Get Profile Script will be recorded in the User object. However, subsequent logins WILL NOT update these fields (apart from some fields like name). This is what tripped me up - thinking that since the fields are being recorded on user creation, they must be updated everytime the user logs in
- Other default connections such as Salesforce all use top level fields on the user object for connection-specific fields (instead of putting them in
user.user_profile) and they update correctly when you modify them in Salesforce! (For example, if I change the timezone of the user in Salesforce and login again, the ‘timezone’ field of the user is updated successfully, despite it not being a default field according to the documentation)
I want to suggest some improvements for Auth0 to make to avoid confusing other users in the future.
- When handling profile updates (after Get Profile Script returns), remove any fields that are not supported and log a warning in the webtask recommending them to put those fields in
user_profile. - For officially supported connections, put the connection-specific fields inside
user_profile, for consistency sake.