Auth0:如何在令牌中检索app_metadata和user_metadata?

时间:2017-05-18 14:37:49

标签: java authentication authorization auth0

我尝试使用其用户名和密码对用户进行身份验证。我想在响应中检索JWT并在其中找到他的权限(存储在app_metadata中)。

但返回的id_token不包含user_metadata或app_metadata。

我尝试使用Java驱动程序和HTTP调用。

Java:

 AuthAPI auth = new AuthAPI("my-domain.auth0.com", "my_client_id", "my_secret_id");
 AuthRequest request = auth.login(username, password)
         .setScope("openid app_metadata user_metadata");
 try {
     TokenHolder holder = request.execute();
     return holder;
 } catch (Auth0Exception e) {
     throw new AuthentException("Error authenticating " + username, e);
 }

HTTP:

     final String req = "{"
             + "\"username\":\"test@domain.com\","
             + "\"password\":\"test\","
             + "\"scope\":\"openid app_metadata user_metadata\","
             + "\"client_id\":\"my_client_id\","
             + "\"client_secret\":\"my_secret_id\","
             + "\"grant_type\":\"password\""
             + "}";
     RestTemplate template = new RestTemplate();
     HttpHeaders headers = new HttpHeaders();
     headers.setContentType(MediaType.APPLICATION_JSON);
     HttpEntity<String> entity = new HttpEntity<>(req, headers);

     ResponseEntity<String> response = template.exchange("https://my-domain.auth0.com/oauth/token", HttpMethod.POST, entity, String.class);

返回的id_token仅包含:

 {
   "email": "test@domain.com",
   "email_verified": true,
   "iss": "https://my-domain.auth0.com/",
   "sub": "auth0|xxx",
   "aud": "my_client_id",
   "exp": 1497744462,
   "iat": 1495116462
 }

我尝试添加规则:

function (user, context, callback) {
   var namespace = 'https://my-domain.auth0.com/';
   if (context.idToken && user.user_metadata) {
     context.idToken[namespace + 'user_metadata'] = user.user_metadata;
   }
   if (context.idToken && user.app_metadata) {
     context.idToken[namespace + 'app_metadata'] = user.app_metadata;
   }
   callback(null, user, context);
 }

还有一个钩子:

module.exports = function(client, scope, audience, context, cb) {
   var access_token = {};
   access_token.scope = scope;
   access_token.scope.push('user_profile');
   cb(null, access_token);
 };

但没有任何内容将元数据添加到id_token。

我如何检索这些元数据?

感谢。

1 个答案:

答案 0 :(得分:1)

我发现/ oauth / ro端点正在运行:https://auth0.com/docs/api/authentication#resource-owner

         final String req = "{"
                 + "\"username\":\"ambre@domain.com\","
                 + "\"password\":\"test\","
                 + "\"scope\":\"" + settings.getScope() + "\","
                 + "\"connection\":\"Username-Password-Authentication\","
                 + "\"client_id\":\"" + settings.getClientId() + "\","
                 + "\"grant_type\":\"password\""
                 + "}";
         RestTemplate template = new RestTemplate();
         HttpHeaders headers = new HttpHeaders();
         headers.setContentType(MediaType.APPLICATION_JSON);
         HttpEntity<String> entity = new HttpEntity<>(req, headers);

         ResponseEntity<String> response = template.exchange("https://my-domain.auth0.com/oauth/ro", HttpMethod.POST, entity, String.class);

但是我找不到java驱动程序1.0.0中的等价物