How to prevent Auth0 from storing a database / history of Users?

apd · February 19, 2021, 3:42pm

We’re developing a medical app where it is important that we don’t collect a database of any user data such as emails.
We’ve set up Auth0 to use passwordless Email authentication, and a couple of social media logins like google and microsoft. This is great and our app receives the user’s name and email from a successful Auth0 login.

However we take issue with the fact that Auth0 themselves under Users & Roles > Users maintain a database that stores the information of everybody that has logged in and at what time.

Can we prevent this from happening? All Auth0 needs to store on their servers at most is the temporary session token. Especially since we don’t use a database on Auth0 at all, and we use passwordless & user-registration-less login methods.

We must be able to comply to GDPR rules of not collecting or having access to a database of stored personal info.

stephanie.chamblee · February 19, 2021, 8:05pm

Hi @apd,

Welcome to the Community!

You can prevent user profile attributes from being stored by following the documentation here: Add User Attributes to DenyList

If this looks like what you are looking for, here are some steps to implement the user attribute deny list:

First, you’ll need an Management API Access Token that has the update:connections and read:connections scopes.

You can follow the guide for manually obtaining an access token: Get Management API Access Tokens for Testing

Next, you can get data for all of your connections using the /api/v2/connections endpoint. You’ll need the IDs and options object for each connection.

Finally, update each connection’s options object. Note: when you update the options object it will override what you currently have set, so be sure to add to the options objects that you collected from the GET endpoint.

The body of the request will look like this:

{
   "options":{
     // Any exiting options properties for the connection
    "non_persistent_attrs": ["email", "name", "email_verified", "family_name", "gender", "given_name", 
    "picture", "nickname", "locale"]
   }
}

As the guide mentions, the user’s information is still in the rule, so if you’d like to send some non-persistent user data in the ID Token, it should be available. However, if you are not getting the user data you need, you can add Custom Claims to the ID Token to a Rule:

function (user, context, callback) {
  const namespace = 'https://YOUR_APP_URL';
  let idTokenClaims = context.idToken || {};
  idTokenClaims[`${namespace}/email`] = user.email;
  context.idToken = idTokenClaims;

  callback(null, user, context);
}

Here is additional documentation related to Auth0 and GDPR compliance: Auth0 General Data Protection Regulation Compliance

apd · February 19, 2021, 10:54pm

Thanks! I saw no hints in the Users & Roles section, nor in the auth0 dashboard in general; so I thought it just wasn’t a feature. Especially since I had no databases in auth0 that I set up myself. So I thought we’re kinda stuck that way with that builtin database.

I’ll have a look more closely next week and accept the answer or do a follow up.

valeriedixon1970 · February 27, 2021, 7:25am

Used with database connections. When enabled, the system will maintain a password history for each user and prevent the reuse of passwords included in the history. basic_profile, myaccountaccess, Indicates that you want basic profile information (email address and email verified flag) stored in the Auth0 User Profile.