Overview
As per Auth0 docs, the app_metadata field must not contain email, user_id, and other fields listed here: Metadata Field Names and Data Types.
As such, it should not allow the addition of these restricted fields to the user profile’s “app_metadata”.
However, while trying to create users via a custom DB script with restricted app_metadata fields, it allows to add the restricted fields in the user “app_metadata”.
Cause
The invalid fields are allowed because there is a feature flag with a default of true. It is also set to true in all public cloud spaces.
Solution
If desired, the flag can be disabled for specific tenants.
The only caveat is that users who were already imported (or signed up or created) with the invalid metadata fields would not be able to log in unless we clean up their metadata (which requires a script to be run on our end).
In the future, this feature flag may be phased out (enabling metadata validation) and made into a tenant flag that can be toggled via Dashboard or something else.
To disable the feature flag to not allow adding in the restricted metadata via custom DB scripts, please reach out to Auth0 Support.