Stitch custom jwt authentication not able to set metadata fields from jwt

I am using Auth0 as a custom authentication provider with Stitch. The JWT access token sent to Stitch has the “sub” field in the payload.

I want to set a metadata field “externalUserId” on the Stitch user object. Following steps at https://docs.mongodb.com/stitch/authentication/custom-token/#metadata-fields, I have setup fields as following:

I am using the browser SDK for authentication like following:

auth.loginWithCredential(new CustomCredential(token))

The request fails with the following error:

{"error":"expected field 'sub' to be in token metadata","error_code":"AuthError","link":"redacted"}

I have double-checked that the access-token being passed has the “sub” field.

I have exactly the same problem.

Did you figure this out?


Update

After a lot of tinkering I ~concluded~ Stitch doesn’t allow certain fields as Metadata, like you want to.

Auth0 Access Token basically use these fields:

* iss (issuer): Issuer of the JWT
* sub (subject): Subject of the JWT (the user)
* aud (audience): Recipient for which the JWT is intended
* exp (expiration time): Time after which the JWT expires
* nbf (not before time): Time before which the JWT must not be accepted for processing
* iat (issued at time): Time at which the JWT was issued; can be used to determine age of the JWT

Out of all those, only iss is read by Stitch as metadata. The others are ignored. Under the hood Stitch might use those fields for other stiff. We know that’s at least the case for aud, that is (optionally) used for verification.

Solution

My goal was slightly different than OP’s, but close enough. I wanted to pass custom fields from Auth0 to Stitch through the access token.

First I needed to create a rule in Auth0, adding a field to the token. Auth0 requires the fields to be namespaced in the form of a url:

function (user, context, callback) {
  const namespace = 'http://example.com/';
  context.accessToken[namespace + 'email'] = user.email;
  callback(null, user, context);
}

So I now had a token with a field { "http://example.com/email: email@example.com" } , which I could verify by decoding it.

However Stitch wouldn’t read it, yielding

Error:
expected field 'http://example.com/email' to be in token metadata

I struggled to see why Stitch wouldn’t read that. Hours. Until I remembered the note about the dot notation.

Stitch interprets the Path http://example.com/email as

{ "http://example": { "com/email" : <val> } }

Adding quotes didn’t work either:

Error:
expected field '"http://example.com/email"' to be in token metadata

Finally the trick was to remove the dot altogether:

function (user, context, callback) {
  const namespace = 'http://examplecom/';
  context.accessToken[namespace + 'email'] = user.email;
  callback(null, user, context);
}

And adding http://examplecom/email as the Path.

2 Likes