Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Corrected app_metadata and user_metadata retrieval. #178

Closed
landonreed opened this issue Dec 7, 2018 · 8 comments
Closed

Corrected app_metadata and user_metadata retrieval. #178

landonreed opened this issue Dec 7, 2018 · 8 comments
Assignees
@landonreed
Labels
imported

Comments

@landonreed
Copy link
Contributor

Issue by typhoon2099
Monday Apr 09, 2018 at 15:59 GMT
Originally opened as catalogueglobal#72

app_metadata and user_metadata can't be returned by the userinfo endpoint any more (unless you signed paid for Auth0 before 1st September 2017). This pull request and the following Auth0 rule corrects this:

function (user, context, callback) {
  var namespace = 'http://catalogue/';
   if (context.idToken && user.user_metadata) {
     context.idToken[namespace + 'user_metadata'] = user.user_metadata;
   }
   if (context.idToken && user.app_metadata) {
     context.idToken[namespace + 'app_metadata'] = user.app_metadata;
   }
   callback(null, user, context);
}

typhoon2099 included the following code: https://github.com/catalogueglobal/datatools-ui/pull/72/commits
@landonreed landonreed self-assigned this Dec 7, 2018
@landonreed
Copy link
Contributor Author

Comment by skinkie
Tuesday Jul 10, 2018 at 19:48 GMT

Can confirm this works, at least ... the next problem is...
catalogueglobal/datatools-server#102

@landonreed
Copy link
Contributor Author

Comment by abyrd
Wednesday Jul 11, 2018 at 15:47 GMT

@landonreed have you tested out this pull request?

@landonreed
Copy link
Contributor Author

Comment by landonreed
Thursday Jul 12, 2018 at 15:42 GMT

When attempting to add the rule to our Auth0 account and clicking 'Try this rule', I get: ERROR: Unknown error. Possible reason: you are not calling callback(null, user, context)

@landonreed
Copy link
Contributor Author

Comment by landonreed
Thursday Jul 12, 2018 at 15:47 GMT

Ah, never mind. I was including an underscore in the rule description and Auth0 didn't like that.

@landonreed
Copy link
Contributor Author

Comment by landonreed
Thursday Jul 12, 2018 at 16:09 GMT

Adding this rule does not appear to work for our (pre-September 2017) existing Auth0 account; however, it does work for a test account I created a couple of days ago.

In order to accept this PR, the assignment of the profile.app_metadata and profile.user_metadata to the catalogue-scoped values should be wrapped in a conditional, e.g.:

if (typeof profile.user_metadata === 'undefined' && typeof profile.app_metadata === 'undefined') {
  profile.app_metadata = profile['http://catalogue/app_metadata']
...

There should also be sufficient comments about what is going on here (the reason for the assignment and wrapping it in an if block) and a reference to this issue and any other Auth0 documentation about the rule that @typhoon2099 provided above. I would also like to see a check for the existence of the scoped fields within this block and an informative error thrown about the Auth0 rule if it is not found. And an update to the docs regarding Auth0 setup would be greatly appreciated.

As @skinkie mentioned above, this also depends on a server fix, which we'd be happy to review if anyone has some code that's backwards-compatible. Thanks so much for investigating this!

@landonreed
Copy link
Contributor Author

Comment by landonreed
Thursday Jul 12, 2018 at 16:22 GMT

I've also just discovered that adding the above rule to a pre-September 2017 Auth0 account does not play nicely with applications running with the existing Auth setup. So, I'm not entirely sure this rule/hack is a great path forward.

Edit: in other words, when I added the rule to our existing account, authentication seemed to stop working for our applications running the existing code. I'm not sure if there's a way to isolate the application of rules to a single application within an Auth0 tenant.

@landonreed
Copy link
Contributor Author

Comment by landonreed
Thursday Aug 30, 2018 at 16:29 GMT

I have just learned that it is possible to check the clientID on the context arg in the rule. For example:

function (user, context, callback) {
  // Only apply rule to certain client
  if (context.clientID === 'ABC123') {
    const namespace = 'http://datatools/';
    if (context.idToken && user.user_metadata) {
      context.idToken[namespace + 'user_metadata'] = user.user_metadata;
    }
    if (context.idToken && user.app_metadata) {
      context.idToken[namespace + 'app_metadata'] = user.app_metadata;
    }
  }
  callback(null, user, context);
}

So for Conveyal's Auth0 tenant, we can apply this rule only to certain applications, which means it won't interfere with our other production applications.

Adding this rule and changing the client to get the user profile from a datatools-server endpoint (rather than using the Auth0 Lock getUserInfo endpoint, should be enough to fix the Auth0 issue.

@landonreed
Copy link
Contributor Author

Comment by landonreed
Friday Oct 12, 2018 at 16:50 GMT

Closing in favor of #250

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@landonreed landonreed

Labels
imported
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@landonreed