Questions about User Profile

Hi-

We are currently using a custom DB to authenticate users. After the user logs in, we pull some extra data by api, like user_institution, user_jobTitle. My understanding is that these properties can be saved on the user profile in app_metadata, user_metadata, or as part of the root profile. Also, it’s my understanding, that properties in the user_metadata structure are meant to be editable, while the properties in the app_metadata structure are meant to be readonly. Here are my questions:

-When should one use root profile properties vs app_metadata properties? (None of the fields should be editable by the user, so ruling out the user_metadata)

-Should we make the api calls, get the extra user data, and save that data in the login script? Or in a post-login action?

-There are about 20 fields that I need to add to the profile because they need to be returned with the SAML response. Is this an okay number of fields to keep, or will this present problems?

Thanks

Hi,

I’m not sure about the recommended approach from Auth0, but root properties are not editable using Auth0 endpoints. Therefore, we are storing the user’s email and security identifier & Object ID in our custom database. AppMetadata is editable, and we use both user metadata and app metadata to store editable details like user roles agency codes. Ultimately, it is up to each organization to make this decision based on their compliance requirements.

Hi,
For non editable fields, you would want to use the app_metadata instead of the root profile or user_metadata. You should make the API calls and save extra user data in a post-login action using Auth0 Actions to prevent overwriting existing metadata properties.
FYI having 20 fields is not inherently problematic but you will want to be cautious as heavy search or update frequency might cause scalability issues