Adding user_metadata

[drwxmrrs]

Hi guys,

I'm looking at a way to add user_metadata to a given user, currently I have:

function my_auth0_update_user($user_id, $attrs) {

    $domain     = WP_Auth0_Options::Instance()->get('domain');
    $client_id  = WP_Auth0_Options::Instance()->get('client_id');
    $api_token  = WP_Auth0_Options::Instance()->get('auth0_app_token');

    return WP_Auth0_Api_Client::update_user($domain, $api_token, $user_id, $attrs);
}

function my_auth0_update_current_user($attrs) {

    $current_user = get_currentauth0user();
    $user_profile = $current_user->auth0_obj;

    return my_auth0_update_user($current_user->auth0_obj->user_id, $attrs);

}

my_auth0_update_current_user(array(
'user_metadata' => array('k' => 'v')
));

This works, however, the user_metadata only refreshes when a user logs out and logs back in.

Secondly, I can't find a way to find the Auth0 user ID based from the WordPress user ID. So we have to use the current user each time, which could become problematic if you're trying to update someone else's profile.

I've tried using the Auth0 Edit Profile Widget, however it seems to throw a React error and I'm not sure what the user_token would be.

Thirdly, the get_auth0currentuserinfo() func always returns false. Not sure why this is, as get_auth0currentuser() seems to work fine.

So TL;DR

1. Is there a way to update the user_metadata and have it refresh automatically?
2. Is there a way to find the Auth0 user id via the WordPress user ID?
3. The get_auth0currentuserinfo() function always returns false, however get_auth0currentuser works.

[glena]

1. Is there a way to update the user_metadata and have it refresh automatically?

The user profile is only updated on logins, You might need to refresh it after updating the user profile.

This is the way the plugin stores the user info in the user_meta, https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_UsersRepo.php#L165-L170 you should do the same with the new profile

1. Is there a way to find the Auth0 user id via the WordPress user ID?

Yes, check the user meta for that user,
https://github.com/auth0/wp-auth0/blob/master/lib/WP_Auth0_UsersRepo.php#L165-L170

1. The get_auth0currentuserinfo() function always returns false, however get_auth0currentuser works.

ok I will check

[drwxmrrs]

Hi Glena,

Thanks for getting back.

The only way I can see how to get user_metadata from Auth0 is to save the users access_token at login, then use that to request the user_metadata from Auth0 on subsequent requests. Is this the right way to go about it?

My desired setup would be:

1. User logs in to both website 1 and website 2 using Auth0 SSO.
2. User updates arbitrary information on website 1.
3. User refreshes page on website 2 and the information from website 1 is there.

[glena]

Yes you are right, but not the access_token, the id_token.

about your setup, this will only happen if the user is not logged into website 2 so when the user accesses there it will update the user profile. If the user is already logged in site 2, the profile will not be updated. In this case, you will need to build some api to call in the other site each time you change something on the profile to get it synchronised.

[dleeward]

Can data not be stored globally for the user rather than an individual login?

[glena]

sorry didnt understand what you meant

[drwxmrrs]

Maybe I'm thinking about it wrong, but if a user stores something transient such as a shopping list to their user_metadata, how can that shopping list be shown on other applications without the user needing to re-authenticate? Is there a way to invalidate a JWT and force other applications to refresh on load?

Additionally, my main reason for choosing Auth0 is so user information isn't stored on our servers, however the plugin creates a user account via wp_insert_user. If we have many applications with SSO, this means we encounter duplicate user accounts.

[glena]

No. It is not an issue related to auth0 but how to synchronise your data between your apps. In this scenario Auth0 is just a data store and you will need to define how do you want to deal with this.

Posible approaches:

• Create a webhook on each or your apps and each time you change something on the metadata, you will call this webhook to notify them to update certain user.
• Manually call the Auth0 API to fetch the user profile and update the info of the logged user
• Use refresh tokens so each time the token expires, you use it to fetch a new one.

For the latest, I will need to do a couple of changes to give you the refresh token in to the user login action (https://github.com/auth0/wp-auth0#user-login-action) so you can do the rest (check if the token expires, fetch a new one and update the user profile).

[drwxmrrs]

Thanks Glena.

I think I've found a solution to this, but would like your input on one thing:

1. User logs in at client1.com.
2. Client1.com performs a callback to master.client.com with responseType: code. Master creates a WP user account and is the source of truth for extended profile information (including shopping lists etc)
3. Client1.com can now send a JWT header in each request to access the profile information on master.

Where I'm getting confused, is how do I send the profile back to client1.com from master? Is it safe to redirect to client1.com with the access token obtained from master? e.g.:

wp_redirect('client1.com/#access_token=...');

Is this a typical scenario?

[glena]

Sounds like a little bit over-engineered (very complex scenario to maintain and very error prune).

I would go by finding a way to notify other apps that the user profile had changed as I said before (first proposal) or avoid storing the profile and fetch it from auth0 (second proposal, you can cache this to avoid calling on every page request)

[drwxmrrs]

I think you're right in terms of over-engineered.

Do you think the following solution would work better in your mind?

1. User logs in to client1.com
2. Auth0 triggers rule and creates / updates the user account on master
3. Account is also created on client1.com
4. User can now make authenticated requests to retrieve extended profile information (using a delegation token from master)

This way all of our data is in sync. We just make API calls to the master if we want to store / retrieve user data that needs to be globally available (across apps, other websites etc)

So just to clarify, what should actually go in auth0 user_metadata? Do you think it's best to avoid this field at all costs?

I should be able to achieve this setup using the WP REST API (to create the user account) and the Auth0 WP plugin.

[glena]

Yes, this might be better

[dleeward]

@drewsymo did you ever get this working?