Mapping Identity Provider Attributes

I’m using openid connect to log users in. I want to extract some custom user attributes returned by the IDC, specifically in a post login action script.
I don’t want to store these attributes on the user in Auth0.

If I use the current user mapping:

{
  "mapping_mode": "bind_all"
}

All custom attributes from my IDP are stored on the user. They are stored as Identity Provider Attributes, and I cannot delete them. I’ve tried with the UI and the management API.

If I use a custom map and don’t extract those values, I cannot access them in the event.user object in my action script.

If I try to map the attribute manually with

    "custom_attribute": "${context.tokenset.custom_attribute}", // custom_attribute is written the same way it appears when bind all is used

It doesn’t appear in the event.user object. (or on the user in auth0 GUI).

So my questions are:

  1. What is the correct way to extract the custom attributes from IDP so that I can read them when the user logs in?
  2. How can I delete the custom attributes from the user object in auth0? (They are sensitive)

I found the answer to question 1 here Configure PKCE and Claim Mapping for OIDC Connections

The attributes was in the userinfo, not tokenset.

I still haven’t figured out number 2, how we could delete identity provider attributes (or encrypt them) before storing them in auth0.