I’m using the google-oauth2 integration and I couldn’t find a way of preventing the user profile picture to make its way to Auth0. Creating a rule is not sufficient because that only modifies the response for the applications, but the Auth0 dashboard still has the picture and shows it.
The only way I found was to create a custom Google OAuth connection, which I have to say is annoying as Auth0 simply should have let me choose which claims I wanted from the social provider.
Hi @rdsedmundo,
Welcome to the Community!
You can specify which fields should not be stored in Auth0 by adding attributes to the connection’s DenyList: https://auth0.com/docs/security/denylist-user-attributes
- Get an Access Token for the Management API. Since this is a one-time task, you can use the token from the API Explorer. Go to Applications > APIs > Auth0 Management API and go to the API Explorer tab. Copy the Access Token.
- Go to the Management API docs and click on the SET API TOKEN button and paste the Access Token you copied from the API Explorer.
- Get the Connection IDs of all of the identity providers that you want to update using the GET/api/v2/connections endpoint. The connection ID will look something like
con_4HWnfgic03J1b1XO.
- Update each connection using the PATCH/api/v2/connections/{id} endpoint. One connection at a time, add the connection ID that you retrieved in that last step, and update the connection’s DenyList:
{
"options": {
"non_persistent_attrs": ["picture"]
}
}
When a user logs in with the connection, the picture will not persist in Auth0.