Thanks for the quick answer. I can confirm that in context idToken is actualy empty {}. this is my Rule:
function (user, context, callback) {
if (typeof user.last_password_reset === 'undefined' || user.last_password_reset === null) {
request.post({
url: "https://" + configuration.auth0_env_domain + ".eu.auth0.com/dbconnections/change_password",
json: {
"client_id": context.ClientID,
"email": user.email,
"connection": context.connection
}
}, function (err, resp) {
if (err) return callback(err);
if (resp.statusCode !== 200) return callback(new Error('...'));
});
return callback(new UnauthorizedError('You need to reset your password. We have sent you an email with instructions to reset it.'));
}
var app_short_code = context.clientMetadata.short_code;
var userHasAccess = (user.app_metadata &&
user.app_metadata.permissions &&
user.app_metadata.permissions[app_short_code] &&
user.app_metadata.permissions[app_short_code].some(
function (permission) {
return permission === "xxxx";
}
)
);
if (!userHasAccess) {
return callback(new UnauthorizedError("Access denied."));
}
user.app = context.clientMetadata.app;
if (user.app_metadata && user.app_metadata.clients) {
user.cli = user.app_metadata.clients;
}
user.app_scope = {};
user.app_scope[app_short_code] = user.app_metadata.permissions[app_short_code];
// Always include permissions for panel-api
user.app_scope["panel-api"] = user.app_metadata.permissions["panel-api"];
callback(null, user, context);
}