I was wondering if it would be possible to store encryption secrets for each user, such that these secrets can not be viewed by people with access to the Auth0 dashboard.
The intended use case of this is to generate an encryption key in a deterministic way for each user, without actually allowing malicious administrators to obtain the encryption key for a particular user (which would render the encryption scheme useless). Without Auth0, I would simply generate an encryption key from a hash of the user’s password (slightly different from the usual password hash stored for authentication). Therefore, a malicious DBA who only had access to the hashed authentication password would be unable to construct the encryption key for that user, and only the user would be able to do so.
I would like to implement something similar to that using Auth0, but allowing users to sign up via Social Sign-In rather than via username/passwords. Unfortunately, it appears that the only places where we can add custom data to an Auth0 user is in
user_metadata, both of which are visible in plaintext to the administrators of the Auth0 tenant.
Is there any way I can achieve this?
Thanks in advance!