Delete standard claims of IDTokens from Actions (Rules Parity)

Problem statement

I successfully created a rule based on the Remove attributes from user template:

function removeUserAttribute(user, context, callback) {
 const removelist = ['nickname','picture'];
 Object.keys(user).forEach(function (key) {
  if (removelist.indexOf(key) > -1) {
   delete user[key];
  }
 });
callback(null, user, context);
}

I migrated the code, by following the Auth0 documentation, to a Login Flow action script:

exports.onExecutePostLogin = async (event, api) => {
 const removelist = ['nickname','picture'];
 Object.keys(event.user).forEach(function (key) {
  if (removelist.indexOf(key) > -1) {
   delete event.user[key];
  }
 });
 return;
};

The rule works fine, but the action script is not deleting the ID Token keys.

Cause

It’s currently not possible to remove claims from the ID token using actions. It’s on our roadmap to close this parity gap but it likely won’t be supported until some time in 2024.

Solution

In the meantime, you should be able to at least set the claims to empty values as a close approximation.