We’re looking at using some of the extension points in auth0. One thing we’d like to do is update the user’s email after authentication where the email is the user name. The steps we’re trying to implement are:
- User requests to change email
- New email is stored in user_metadata
- User is directed to hosted page authenticate with current credentials
- On successful authentication either a rule or a hook fires to update the users email address with the value stored in their metadata and set email_verified to false.
The reason we like this is because:
- we want the user to auth before changing their email to prevent an attacker using an existing session to change the email
- we want the auth to happen via universal login/hosted page
- we want to minimize any sharing of our auth0 secrets.
As far as I can tell we can do this via rules or hooks and hooks are the new way to extend auth0.
It looks like it’s fairly easy to access the Management API in a rule with the required scope to update the users email here as described here:
This is because rules runtime provides an access token with the right scopes to do this. And the great thing is, we don’t have to share our secrets with anything to do so.
Can we do a similar thing with hooks?