Updatable Normalized Profile Root Attributes [Product Roadmap: Launched]

Feature adding ability to update root attributes of user profiles in progress

Auth0 defines certain user profile attributes as the Auth0 Normalized Profile, including: name, given_name, family_name, nickname, and picture. These attributes are retrieved from federated identity providers (IdPs) when the user logs in, are then automatically updated in the User profile, and cannot be independently updated.

This upcoming feature enables Auth0 customers to update these attributes on demand. For example, if a user signs up using Google as the IdP, the root attributes are added from Google and are automatically updated with each subsequent login. This enhancement allows you to determine whether or not the attributes are automatically updated with each subsequent login, and update the attributes directly from your application. A common use-case for this would be a user signing up using a social login who wants to use a different avatar in your application than the one used in the social provider.

Previously, updated attributes had to be stored in user_metadata, resulting in search limitations (inability to search using wildcards or mixed case). This enhancement enables you to update the attributes without using user_metadata. Once updated attributes are set in the user profile instead of in user_metadata, wildcard search and case-insensitive search will be possible.

This feature is in active development. This topic will be updated with additional details and supporting documentation when the feature is launched.


This feature has now been launched, along with updates to user import. Docs for this feature are now available here: https://auth0.com/docs/users/normalized/auth0/update-root-attributes


Very much looking forward to this one!

Any news on this feature ?

Very much looking forward to this, not having the ability to update the first name / last name and being unable to filter on the user metadata has so-far been a dealbraker for me.

Any idea on the timeframe of the feature?

Hello @galesky and @hanshenp! Although we’re not able to provide timeframes (you can find details on how the roadmap is communicated here), I can share that updatable normalized profile root attributes is in a post-development testing phase at the time of this writing. This is the final phase before launch, and we will be sure to update in Community when the feature is available.

Can we expect this fix to be completed before the deadline for v3 search api migrattion.
We currently use User Search v2 and this is a blocker for us, we can’t migrate until we are able to search users properly.

I’ve opened another topic in here for more details:

We are very much looking forward to this feature
Any updates / timeline ?

@kim.maida we’re also very much looking forward to this feature.

Do you have any updates on when this feature might be available?

We’re not able to provide timelines, but I’m hoping to have an update on how the final testing phase is going. I will follow up here!

Hello all! I’m pleased to announce that updatable normalized profile root attributes has been launched, along with updates to user import. Documentation for this feature is now available here: https://auth0.com/docs/users/normalized/auth0/update-root-attributes

1 Like

I have opened the ticket User search using search_engine=v3 is not consistent and user_metadata is case sensitive
and has been informed this update would fix the problem.

I have tried to use this new version on our account, but I noticed the user information does get populated to user_metadata only, but is not added to the root profile of the user. This is a must have before we migrate to user search v3, otherwise we can’t find the users.

I have created the user:
Name: Asdrubal
Surname: Smith
Email: a.niceguy@testing.co.ll

It is listed on Auth0 dashboard, when I try to search by either name or surname it does not get returned in the results from your dashboard.

Looking to the raw JSON, it’s clearly visible why.

There is no given_name or family_name in the root document, just in the metadata, where we can’t search by wildcard only by an exact match, that is case sensitive.
The name is using the email, and the nickname is using the the email alias.

I would expect the given_name or family_name in the root,
and nickname have the email, given we use the email as nickname,
and the name should be a concatenation of given_name and family_name.

See a copy of the raw json from the user created

"email_verified": false,
"email": "a.niceguy@testing.co.ll",
"user_metadata": {
    "birthday": "2000-01-01T00:00:00.000Z",
    "given_name": "Asdrubal",
    "family_name": "Smith"
"updated_at": "2019-05-29T16:34:50.424Z",
"user_id": "auth0|5ceeb4a714b2b20ef6689195",
"name": "a.niceguy@testing.co.ll",
"picture": "https://s.gravatar.com/avatar/c086d10e95bb55dabe0f0e9fdb0ab96b?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fa.png",
"nickname": "a.niceguy",
"identities": [
        "user_id": "5ceeb4a714b2b20ef6689195",
        "provider": "auth0",
        "connection": "Username-Password-Authentication",
        "isSocial": false
"created_at": "2019-05-29T16:34:47.883Z",
"last_ip": "",
"last_login": "2019-05-29T16:34:48.167Z",
"logins_count": 1,
"blocked_for": [],
"guardian_authenticators": []

I think this is a related bug:
Today, after adding the ability of “Updatable Profile Attributes” (https://support.auth0.com/notifications/5ce58190e5e728000aa3b9ea), we can update the user’s picture attribute
However, the Multi Factor authentication page still tries to load the picture of the user from gravatar, regardless of the value of the picture attribute that now can point to a different url

Hi @diego.mendes

How did you create that user? Was it using Lock and its custom signup fields? If so, those fields are expected to end up in the user’s app_metadata , because Lock is not yet aware of the changes mentioned in https://auth0.com/docs/users/normalized/auth0/update-root-attributes.

For now, if you want to create a user with root attributes the only option is to use the signup endpoint directly (or the Management API v2 create users endpoint). Support for root attributes in Lock should be coming soon, but it’s not there yet.

Yes, using Lock, unfortunately using the API directly is not an option for us.


Hey @diego.mendes there are two PRs already opened for this in the Lock repository, so I expect that a new version will follow soon:

1 Like

Today we are using https://auth0.com/docs/api/management/v2/#!/Users/patch_users_by_id directly from the client side in order to update the current user metadata with scope “update:current_user_metadata”
We do want to use the same logic to update the Profile Root Attributes as well, is it possible?
Its looks like we need a new scope “update:current_user_profile” or something like that

Any update on what @akuka has said above? I am trying to update root level user data client side and can’t because there is now scope for it.

I am trying to let native app users update their own profile info as per this documentation to no avail and keep getting the following error response that doesn’t indicate what scope is actually missing.

{“statusCode”:403,“error”:“Forbidden”,“message”:“You cannot update the following fields: name”,“errorCode”:“insufficient_scope”}

I am using the Auth0.OidcClient library similarly to this example, to get the api access token while passing in all user update scopes I can find (update:users update:users_app_metadata update:current_user_metadata update:current_user_identities) as part of Auth0ClientOptions. If update:user is not passed in, the error message actually names it as an expected scope. Hence, my perplexity at a now unnamed but still missing scope.

I have disabled sync on all social connections as required for root attributes to be editable. As we are still in Dev and it didn’t work, I then disabled all social connections completely and just had the Auth0 database enabled to make sure the system just had Auth0 as the provider while logging in with a test user account that is from the Auth0 database connection.

When requesting the user patch, I have made sure to send the content type, cache-control, and the access token as authorization/bearer as documented

The documentation sample is updating all root attributes, but the user patch API is supposedly able to update just one attribute at a time, so I am testing with just updating one root attribute for now.

What am I missing?

UPDATE: I have narrowed down the issue to the user’s consent grantInfo. Login is logged as successful, but not all scopes passed in are actually accepted and consequently listed in the user grant. Still no clue how to get the current user access to the current_user scopes via the Auth0.OidcClient library though.

     "grantInfo": {
      "id": "{ID-VALUE}",
      "audience": "https://{AUTHO-DOMAIN-NAME}/api/v2",
      "scope": "openid profile email",
      "expiration": null

Hi. So has anyone since this post been successful at this?

I have a SPA that is using the user’s token to PATCH the management API. All works fine when i just bother with user_metadata, but if I try to alter Root attributes:

Error during PATCH: You cannot update the following fields: given_name, family_name, name, picture'

Again, with the insufficient_scope. This is a different error than should you try to patch some custom property not included on the list mentioned in the OP.

So what is this mystery scope???

I have tried all of the following at some point or another:

update:user update:users update:current_user update:given_name update:picture update:name update:family_name given_name picture name family_name

This is in addition to those I’ve already been requesting (successfully):

openid profile email read:current_user update:current_user_metadata

So I’m quite at a loss here. Can one of the auth0 experts chime in?


Updating root attributes does work. I just tested changing given_name and family_name. Log entry below may help troubleshoot:

  "date": "2020-10-10T05:02:28.538Z",
  "type": "sapi",
  "description": "Update a user",
  "client_id": "t7cWmFqZ47Sewug62FjQ7z4BT1YRJpSg",
  "client_name": "",
  "ip": "[MY_IP]",
  "user_agent": "Safari 14.0.0 / Mac OS X 10.15.7",
  "details": {
    "request": {
      "method": "patch",
      "path": "/api/v2/users/auth0%7C5e4429e78a409e0e62022150",
      "query": {},
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15",
      "body": {
        "given_name": "liara",
        "family_name": "t'soni"
      "channel": "api",
      "ip": "[MY_IP]",
      "auth": {
        "user": {},
        "strategy": "jwt",
        "credentials": {
          "scopes": [
    "response": {
      "statusCode": 200,
      "body": {
        "created_at": "2020-02-12T16:37:59.043Z",
        "email": "liara@sr2.ca",
        "email_verified": false,
        "identities": [
            "connection": "Username-Password-Authentication",
            "provider": "auth0",
            "user_id": "5e4429e78a409e0e62022150",
            "isSocial": false
        "name": "liara@sr2.ca",
        "nickname": "liara",
        "picture": "https://s.gravatar.com/avatar/cb8f7e1bd1a0e014808fea2a5ee7d704?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fli.png",
        "updated_at": "2020-10-10T05:02:28.531Z",
        "user_id": "auth0|5e4429e78a409e0e62022150",
        "family_name": "t'soni",
        "given_name": "liara",
        "last_ip": "[MY_IP]",
        "last_login": "2020-02-12T16:37:59.041Z",
        "logins_count": 1
  "log_id": "90020201010050233818000842868810496185721760527402664034",
  "_id": "90020201010050233818000842868810496185721760527402664034",
  "isMobile": false