Search code examples
javaauthenticationauthorizationauth0

Auth0 : how to retrieve app_metadata and user_metadata in token?

I try to authenticate a user with its username and password. I want to retrieve the JWT in response and find in it his permissions (stored in app_metadata).

But the id_token returned does not contain the user_metadata or app_metadata.

I tried with the Java driver and HTTP call.

Java :

 AuthAPI auth = new AuthAPI("my-domain.auth0.com", "my_client_id", "my_secret_id");
 AuthRequest request = auth.login(username, password)
         .setScope("openid app_metadata user_metadata");
 try {
     TokenHolder holder = request.execute();
     return holder;
 } catch (Auth0Exception e) {
     throw new AuthentException("Error authenticating " + username, e);
 }

HTTP :

     final String req = "{"
             + "\"username\":\"[email protected]\","
             + "\"password\":\"test\","
             + "\"scope\":\"openid app_metadata user_metadata\","
             + "\"client_id\":\"my_client_id\","
             + "\"client_secret\":\"my_secret_id\","
             + "\"grant_type\":\"password\""
             + "}";
     RestTemplate template = new RestTemplate();
     HttpHeaders headers = new HttpHeaders();
     headers.setContentType(MediaType.APPLICATION_JSON);
     HttpEntity<String> entity = new HttpEntity<>(req, headers);

     ResponseEntity<String> response = template.exchange("https://my-domain.auth0.com/oauth/token", HttpMethod.POST, entity, String.class);

The id_token returned contains only :

 {
   "email": "[email protected]",
   "email_verified": true,
   "iss": "https://my-domain.auth0.com/",
   "sub": "auth0|xxx",
   "aud": "my_client_id",
   "exp": 1497744462,
   "iat": 1495116462
 }

I tried to add a rule :

function (user, context, callback) {
   var namespace = 'https://my-domain.auth0.com/';
   if (context.idToken && user.user_metadata) {
     context.idToken[namespace + 'user_metadata'] = user.user_metadata;
   }
   if (context.idToken && user.app_metadata) {
     context.idToken[namespace + 'app_metadata'] = user.app_metadata;
   }
   callback(null, user, context);
 }

And a hook :

module.exports = function(client, scope, audience, context, cb) {
   var access_token = {};
   access_token.scope = scope;
   access_token.scope.push('user_profile');
   cb(null, access_token);
 };

But nothing adds the metadata to the id_token.

How could I retrieve these metadata ?

Thanks.

Solution

  • I found that the /oauth/ro endpoint is working : https://auth0.com/docs/api/authentication#resource-owner

             final String req = "{"
                 + "\"username\":\"[email protected]\","
                 + "\"password\":\"test\","
                 + "\"scope\":\"" + settings.getScope() + "\","
                 + "\"connection\":\"Username-Password-Authentication\","
                 + "\"client_id\":\"" + settings.getClientId() + "\","
                 + "\"grant_type\":\"password\""
                 + "}";
         RestTemplate template = new RestTemplate();
         HttpHeaders headers = new HttpHeaders();
         headers.setContentType(MediaType.APPLICATION_JSON);
         HttpEntity<String> entity = new HttpEntity<>(req, headers);

         ResponseEntity<String> response = template.exchange("https://my-domain.auth0.com/oauth/ro", HttpMethod.POST, entity, String.class);

    But I can't find the equivalent in java driver 1.0.0