Prevent picture from social identity provider from being saved to user account

rdsedmundo · April 11, 2021, 10:49am

I’m using the google-oauth2 integration and I couldn’t find a way of preventing the user profile picture to make its way to Auth0. Creating a rule is not sufficient because that only modifies the response for the applications, but the Auth0 dashboard still has the picture and shows it.

The only way I found was to create a custom Google OAuth connection, which I have to say is annoying as Auth0 simply should have let me choose which claims I wanted from the social provider.

stephanie.chamblee · April 12, 2021, 12:15pm

Hi @rdsedmundo,

Welcome to the Community!

You can specify which fields should not be stored in Auth0 by adding attributes to the connection’s DenyList: https://auth0.com/docs/security/denylist-user-attributes

Get an Access Token for the Management API. Since this is a one-time task, you can use the token from the API Explorer. Go to Applications > APIs > Auth0 Management API and go to the API Explorer tab. Copy the Access Token.
Go to the Management API docs and click on the SET API TOKEN button and paste the Access Token you copied from the API Explorer.
Get the Connection IDs of all of the identity providers that you want to update using the GET /api/v2/connections endpoint. The connection ID will look something like con_4HWnfgic03J1b1XO.
Update each connection using the PATCH /api/v2/connections/{id} endpoint. One connection at a time, add the connection ID that you retrieved in that last step, and update the connection’s DenyList:

{
  "options": {
    "non_persistent_attrs": ["picture"]
  }
}

When a user logs in with the connection, the picture will not persist in Auth0.

system · April 27, 2021, 12:16pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.