Last Updated: Jun 10, 2024
Problem statement
In the Manage Metadata documentation, it is referenced that it is not recommended that app_metadata or user_metadata be returned by custom DB scripts. What is the reason for this recommendation?
Solution
Custom Database connections are not intended for capturing app_metadata and user_metadata if additional data is present from a 3rd party store, there can be many stages that this data might be required to be fetched from upstream.
For example, if this data is coming from an upstream database (and might update), it will only be able to “pull” this new data on a login - i.e. when the user has no valid session with Auth0 and must authenticate. Silent authentication/SSO or refresh tokens will not trigger the Custom Database’s scripts.
Also, if metadata is returned in a custom database’s login script, it performs a full replacement of the user’s metadata object if “Sync user profile attributes at each login” is enabled, which may or may not be useful depending on the use case.
For these cases, a Post-Login Action is a better place to pull and update metadata. Ideally a Custom Database connection only provides the basic profile, and when import mode is disabled, also acts as the credentials store.
If the metadata is sourced from an external call to an API for example, care should be taken to minimize external calls to the minimum necessary to avoid performance issues:
However, this warning against setting metadata in Custom Database login scripts is only if the custom database is not in “import mode”. If this is for migration, it is perfectly reasonable to return both app and user metadata, and on subsequent logins by the same user the login script will not be called, as the user has been migrated into Auth0.