user_metadata missing from user object

[devuxer]

Description

I have a rule that sets a key in the user_metadata on login. This information is needed by the client. I have verified that the user_metadata was set correctly via the Auth0 dashboard. When I perform auth0Client.getUser() from the client, however, the user_metadata is undefined.

Reproduction

1. Set user_metadata using Auth0 dashboard or via a rule.
2. Perform auth0Client.getUser().
3. Examine the resulting object.

Environment

• Version of this library used: 1.2.3
• Version of the platform or framework used, if applicable: React 16.9.0
• Other relevant versions (language, server software, OS, browser): Windows 10 (latest), Chrome (latest)

[matinfo]

First is NOT an issue, for all question please post in Auth0.community, and for info the answer be found in the Auth0.documentation:

But for your help, here how to get _usermetadata or _appmetadata from getUser(), need to be injected to idToken like this: a) create an Auth0 Rule like this:

function (user, context, callback) {
  const namespace = 'https://my-namespace/';
  user.user_metadata = user.user_metadata || {};
  user.user_metadata.custom_user_data = user.user_metadata.custom_user_data || null;
  context.idToken[`${namespace}custom_user_data`] = user.user_metadata.custom_user_data;
  callback(null, user, context);
}

next you be able to access it from the user object returned by getUser(): user['https://my-namespace/custom_user_data']; https://my-namespace/ need personalised for your project of course.

[devuxer]

@matinfo,

1. Thanks for the help! I will try putting my user_metadata in an ID token. Edit: tried this, and it does work 👍.
2. I disagree that this not an issue. getUser() does not return the same information I see when I view the raw JSON for a user on the Auth0 dashboard. Why not? If you don't want to consider this an issue, at least consider it a feature request.
3. I searched https://auth0.com/docs/libraries/auth0-spa-js, and didn't find anything for either "user_metadata" or "metadata". So, which documentation are you referring to?

[matinfo]

What is returned in the IDToken is not a specificity of auth0-spa-js SDK!

Look here: https://auth0.com/docs/users/concepts/overview-user-profile#user-profile-vs-tokens and https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis

The claims within a JWT generally contain a subset of the information available on the user profile in order to minimize the overall size.

If you want to get full user profile, here how: https://auth0.com/docs/api/management/v2/get-access-tokens-for-spas

[devuxer]

Using the management API is no cleaner than stuffing the user_metadata into the IDToken, so I'll stick with your original workaround.

I still don't understand why getUser() doesn't contain the same properties as Auth0 Dashboard > User Details > Raw JSON.

[matinfo]

@devuxer Is not a workaround! Is how you need to do.

https://auth0.com/docs/users/normalized/auth0

Is not an issue, you be able to close this ticket. And go to Auth0.community ask question.

[Standaa]

I second @devuxer 's request. The documentation is not very clear. The SPA API stipulates that you can pass options to getUser(), but it does not seem to work as expected. What is the point of building a SPA sdk if you need to use other APIs to get all the profile information ? Furthermore, a similar question has already been asked on the community forum some 13d ago and received no answers so far. It requires to understand that you have to enable and use the management API to get a hold of the user metadata. This is far from being obvious.

[stevehobbsdev]

I still don't understand why getUser() doesn't contain the same properties as Auth0 Dashboard > User Details > Raw JSON.

As mentioned earlier, one of the reasons we don't include the whole user JSON inside the ID token is to keep the token small. We provide a few common properties out-of-the-box already, as you've ssen. If you wish to include additional data that you do not currently have by reading the claims from the ID token (by using getUser() or getIdTokenClaims(), then the recommended way is to add that data to the token using a rule.

The SPA API stipulates that you can pass options to getUser(), but it does not seem to work as expected.

@stanislasdrg can I have some more detail on this? What were your expectations of using this method?

What is the point of building a SPA sdk if you need to use other APIs to get all the profile information ?

To be clear, you should absolutely not need to know anything about the management API to use this SDK. The extensibility feature ☝️ we provide is the way forward in terms of getting custom data to your app through a token.

[Standaa]

@stevehobbsdev Thank you for your thorough answer. My initial expectation was to be able to simply read the MFA phone number by passing a modified scope in getUser options. Sounded overkill to use the management API to get read access to that information. I will look into adding a rule. Thanks.

[stevehobbsdev]

@stanislasdrg Yes that would be overkill. At the same time I wouldn't consider it a common property that we would include in the token by default; adding a rule here to add it to the token for your specific use case is the way to go.

[devuxer]

@stevehobbsdev,

Thank you for your helpful explanations and context.

That said, my biggest problem is that the documentation for getUser doesn't say which user attributes are returned and which aren't. And for the ones that aren't, why and how to get them if you need them.

[matinfo]

@devuxer : doc say "Returns the user information if available (decoded from the id_token)."

[stevehobbsdev]

@devuxer It's probably more useful to look at the claims that are returned in our ID tokens rather than specifically at the getUser method. It's largely non-deterministic as you can customize what claims are returned, but the document I linked does talk about some standard claims that are defined by the OIDC specification.

I'll close this for now as it looks like we've reached an understanding, but feel free to continue the conversation if you wish.

[devuxer]

@stevehobbsdev

I understand how to proceed at this point, yes, but I'm trying to point out that the valuable information you (and @matinfo) have provided here is not easily discoverable in the docs. I think it would help others if more detail were included in the auth0-spa-js docs directly.