Auth0 Home Blog Docs

Where to find app_metadata in OIDC Conformant tokens & Express

oidc-conformant
express
express-jwt

#1

Hi everyone,
I’m having some troubles connecting the dots for how to get app_metadata from a jwt token with Auth0. I am using Auth0 with an express app. I added to flollowing lines to a rule that I had in the auth0 dashboard:

  var namespace = 'company';
  if('company' in user.app_metadata) {
    context.idToken[namespace]=user.app_metadata.company || "";
  }

In my express app, I take a look at my request and response, and I can’t find anything with the the namespace “company”. Where should I be looking for this? I do use a jwt package that will take the jwt, verify it and add the decoded token info under req.user:

import jwt from 'express-jwt';
import jwksRsa from 'jwks-rsa';
app.use(jwt({
  secret: jwksRsa.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: 'https://zzz.auth0.com/.well-known/jwks.json',
  }),
  audience: 'http://localhost:5000',
  issuer: 'https://zzz.auth0.com/',
  credentialsRequired: false,
  algorithms: 'RS256'],
}));

My question is what am I missing here? I did enforce OIDC Conformant so I know the metadata won’t be in the token itself, but I just can’t figure out where to look.

Thanks!


#2

The namespace should be on the form http://your.domain/company to avoid collisions with other claims.

   var namespace = 'http://your.domain/company';
   if('company' in user.app_metadata) {
     context.idToken[namespace]=user.app_metadata.company || "";
   }

#3

Thanks for the feedback, I changed the namespace to my domain but I still can’t figure out where to find that field in either the req or res part of my express app.

Looking at my req headers, I see this:
![alt text][1]

Looking through the rest of those two objects, there isn’t an obviously a field that has the new namespace that I created. I bet I am just looking in the wrong spot, but I’d love to find out where I need to be looking. Thanks!


#4

It is inside the token. Copy the authorization header, excluding Bearer, and head over to jwt.io and decode the token there.


#5

Thanks for the feedback, I changed the namespace to my domain but I still can’t figure out where to find that field in either the req or res part of my express app.

Looking at my req headers, I see this:
![alt text][1]

Looking through the rest of those two objects, there isn’t an obviously a field that has the new namespace that I created. I bet I am just looking in the wrong spot, but I’d love to find out where I need to be looking. Thanks!


#6

It is inside the token. Copy the authorization header, excluding Bearer, and head over to jwt.io and decode the token there.


#7

Sorry for the long delay but I’m still having issues with this. I modified the rule to the following, and when I log in, I see that idToken is being set in my context when I use the Real-time Webtask Logs in Auth0. When I go to my express webserver, I get a token in my header that does not include this new field when I decode it on jwt.io. I also do not see any additional fields coming back in my header. The namespace here matches the audience I am using for auth0. How exactly do I add that field to the jwt token? Thanks for your help!

  getPolicy(user, context, function(err, res, data) {
    if (err) {
      console.log('Error from Authorization Extension:', err);
      return callback(new UnauthorizedError('Authorization Extension: ' + err.message));
    }

    if (res.statusCode !== 200) {
      console.log('Error from Authorization Extension:', res.body || res.statusCode);
      return callback(
        new UnauthorizedError('Authorization Extension: ' + ((res.body && (res.body.message || res.body) || res.statusCode)))
      );
    }
    console.log(user.app_metadata);
    var namespace = 'http://localhost:5000';
    if('company' in user.app_metadata) {
      context.idToken[namespace]=user.app_metadata.company || "";
    }
    console.log(context);

    // Update the user object.
    user.groups = data.groups;

    return callback(null, user, context);
  });

#8

According to this page , Auth0 will exclude non-namespaced claims. Could it be http://localhost:5000 is not approved as a namespace since it is not unique? And you should probably have a name in addition to the url as key.

     if('company' in user.app_metadata) {
       context.idToken'http://localhost:5000/company']=user.app_metadata.company || "";
     }

#9