Is it possible to override user attributes in a post-login action?

jrosen-cc · March 22, 2024, 3:43pm

Use-Case

Auth0 contains personally-identifiable information (PII) that we don’t want to share with a particular application. We do want the user to be able to log in to the application and get a valid session. I don’t want to change the actual data in Auth0, just the presentation to this client application.

Is it possible to override the PII fields on the token during the post-login flow?

I’m imagining something like

exports.onExecutePostLogin = async (event, api) => {
  const { user_id: id } = event.user
  api.user.setEmail(`${id}@example.com`);
  api.user.setName(`Anonymous User ${id}`)
  api.user.setNickname(`Anonymous`)
};

These APIs don’t actually exist. Is there something else that would accomplish this?

Possibly related: Actions: How do I *set* an event.user.nickname?

rueben.tiow · March 22, 2024, 5:05pm

Hi @jrosen-cc,

Yes, you should be able to override the user attributes without permanently updating them.

Here is an example:

exports.onExecutePostLogin = async (event, api) => {
  const { user_id: id } = event.user
  event.user.email = `${id}@example.com`
  event.user.name = `Anonymous User ${id}`
  event.user.nickname = `Anonymous`
};

Thanks,
Rueben

jrosen-cc · March 22, 2024, 5:18pm

This is very helpful. Thank you!

It’s not clear from any of the examples on the website that event is mutable or that mutations will be carried through the rest of the process.

rueben.tiow · March 22, 2024, 6:20pm

Hi @jrosen-cc,

You’re welcome!

Yes, that’s true. I will add that it’s usually only used in cases where you need to map user_metadata/app_metadata into claims in the SAML Response.

Feel free to reach out again if you’ve got more questions!

Cheers,
Rueben

system · April 5, 2024, 6:21pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.