Access denied attributes from within an action

Hi! I’m trying to create a process where I deny certain attributes from being stored in Auth0.
My Connection in this case is an Enterprise Custom OIDC one.

I followed this page, and was successful at denying a certain attribute from being generated to the Unified profile in Auth0.
Add User Attributes to Deny List (

On the page linked before, it says:
“When you deny attributes, they will still be available via rules and outgoing tokens.”

I’m now trying to create a Login action, in which I wish to examine the denied attribute.
I am however having hard time figuring out on how to access the attributes the OIDC connection inputs to the profile - from within a login action.

Or if this is not possible via an action - can somebody point me to the right direction on how to read a root level attribute with a rule, and perhaps update app_metadata with a rule, too.

Apparently root level IDP attributes are not available for Actions as of yet.
Here’s a PoC rule I wrote to handle this.

function handleHetu(user, context, callback) {
  // initialize app_metadata
	user.app_metadata = user.app_metadata || {};
  // Detect if this is the IDP with "Hetu" in it
  const isRightIdp = context.connectionID === "INSERT CONNECTIONID HERE";
  if (isRightIdp){
    // Create app metadata
    let metadata_value = "PENDING"; // Initial Metadata value
    // Get Root level IDP attribute
    metadata_value = user.hetu;
    // This is the part where you would either compare the value with another service,
    // Potentially create an identifier value to another user store, or just encrypt the value
    // In this case, we just convert it to base64
    const base64Str = Buffer.from(metadata_value, 'utf8').toString('base64');
    // Assign metadata value
    user.app_metadata.idp_hetu_b64 = base64Str;
    // Update User metadata
			.updateAppMetadata(user.user_id, user.app_metadata)
			.then(() => {
				console.log("Updated user app_metadata idp_hetu_b64 to " + user.app_metadata.idp_hetu_b64);
  return callback(null, user, context);