Hi! I’m trying to create a process where I deny certain attributes from being stored in Auth0.
My Connection in this case is an Enterprise Custom OIDC one.
I followed this page, and was successful at denying a certain attribute from being generated to the Unified profile in Auth0.
Add User Attributes to Deny List (auth0.com)
On the page linked before, it says:
“When you deny attributes, they will still be available via rules and outgoing tokens.”
I’m now trying to create a Login action, in which I wish to examine the denied attribute.
I am however having hard time figuring out on how to access the attributes the OIDC connection inputs to the profile - from within a login action.
Or if this is not possible via an action - can somebody point me to the right direction on how to read a root level attribute with a rule, and perhaps update app_metadata with a rule, too.
EDIT:
Apparently root level IDP attributes are not available for Actions as of yet.
Here’s a PoC rule I wrote to handle this.
function handleHetu(user, context, callback) {
// initialize app_metadata
user.app_metadata = user.app_metadata || {};
// Detect if this is the IDP with "Hetu" in it
const isRightIdp = context.connectionID === "INSERT CONNECTIONID HERE";
if (isRightIdp){
// Create app metadata
let metadata_value = "PENDING"; // Initial Metadata value
// Get Root level IDP attribute
metadata_value = user.hetu;
// This is the part where you would either compare the value with another service,
// Potentially create an identifier value to another user store, or just encrypt the value
// In this case, we just convert it to base64
const base64Str = Buffer.from(metadata_value, 'utf8').toString('base64');
// Assign metadata value
user.app_metadata.idp_hetu_b64 = base64Str;
// Update User metadata
auth0.users
.updateAppMetadata(user.user_id, user.app_metadata)
.then(() => {
console.log("Updated user app_metadata idp_hetu_b64 to " + user.app_metadata.idp_hetu_b64);
});
}
return callback(null, user, context);
}