Secure flow to let user delete their own account

Coming from Firebase, my understanding of the secure way to let the user delete their own account is by forcing them to reauthenticate right before doing so. However, it looks like authentication through Auth0 goes through the universal auth, but deleting a user goes through my own server. I’m struggling to figure out how to connect those two. Is reauthenticating the user even necessary through Auth0? What is the proper flow to let the user delete their own account?

Hi @eva!

Welcome to the Auth0 Community!

We recommend using the client credentials flow via a backend process; see a related Community post’s solution here: Is it able to get management API access token and call management APIs via a React Native mobile application?

More specifically, you can do this with the Management API with an M2M token following this doc. You could create a self-hosted API with an endpoint that is configured to get an M2M token with the appropriate scopes for the Management API in the backend. Given that the API is hosted on the server, the client secret can be stored there securely. If an end-user from your app requests account deletion, then you call out to your API endpoint passing the logged-in user_id across. You could configure the endpoint to delete the account via the Management API’s Delete a User endpoint, and then you redirect the user to the logout endpoint.

Please let me know if you have any additional questions!

Best,

Mary Beth

Thanks for your response. How do I verify on my server that the user id in the request matches the logged in user?

Hi @eva!

To verify that the user_id from the request matches the logged-in user, you can extract the user ID from the JWT (JSON Web Token) included in the request’s Authorization header. Then, you use the Auth0 Management API to validate that the ID is associated with the currently authenticated user on your server; essentially, you decode the JWT and compare the user ID within it to the expected user ID based on the current session.

Key steps:

  • Retrieve the JWT from the request:

    • Access the “Authorization” header from the incoming request.
    • Extract the JWT token from the header (usually in the format “Bearer <token>”).
  • Decode the JWT:

    • Use a JWT library (available in most programming languages) to decode the JWT on your server.
    • This will provide you with the payload containing the user ID (usually called “sub” or “user_id”).
  • Validate the user ID:

    • Compare the “sub” value from the decoded JWT to the user ID expected based on the current session or other context.
    • If necessary, you can make an additional call to the Auth0 Management API using the access token to verify the user ID against Auth0’s user database.

Please let me know if you have any additional questions!

Thanks,

Mary Beth

So there’s no need to reauthenticate the user? There isn’t a risk of privilege escalation?

Hi @eva,

Thank you for your patience! You can reauthenticate the user or add Step-Up Authentication to the delete functionality in your app/API.

Thanks,

Mary Beth