Access denied attributes from within an action

Hi! I’m trying to create a process where I deny certain attributes from being stored in Auth0.
My Connection in this case is an Enterprise Custom OIDC one.

I followed this page, and was successful at denying a certain attribute from being generated to the Unified profile in Auth0.
Add User Attributes to Deny List (

On the page linked before, it says:
“When you deny attributes, they will still be available via rules and outgoing tokens.”

I’m now trying to create a Login action, in which I wish to examine the denied attribute.
I am however having hard time figuring out on how to access the attributes the OIDC connection inputs to the profile - from within a login action.

Or if this is not possible via an action - can somebody point me to the right direction on how to read a root level attribute with a rule, and perhaps update app_metadata with a rule, too.

Apparently root level IDP attributes are not available for Actions as of yet.
Here’s a PoC rule I wrote to handle this.

function handleHetu(user, context, callback) {
  // initialize app_metadata
	user.app_metadata = user.app_metadata || {};
  // Detect if this is the IDP with "Hetu" in it
  const isRightIdp = context.connectionID === "INSERT CONNECTIONID HERE";
  if (isRightIdp){
    // Create app metadata
    let metadata_value = "PENDING"; // Initial Metadata value
    // Get Root level IDP attribute
    metadata_value = user.hetu;
    // This is the part where you would either compare the value with another service,
    // Potentially create an identifier value to another user store, or just encrypt the value
    // In this case, we just convert it to base64
    const base64Str = Buffer.from(metadata_value, 'utf8').toString('base64');
    // Assign metadata value
    user.app_metadata.idp_hetu_b64 = base64Str;
    // Update User metadata
			.updateAppMetadata(user.user_id, user.app_metadata)
			.then(() => {
				console.log("Updated user app_metadata idp_hetu_b64 to " + user.app_metadata.idp_hetu_b64);
  return callback(null, user, context);

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!