Problem statement
Sometimes, there are Facebook users without an e-mail address even though the client has configured the FB social connection to request the scope “email” in the OAuth flow. How does this happen, and is it possible to prevent this type of user?
Cause
Facebook does not always send an email for a user, as sometimes a Facebook account will have no email associated with it, and Auth0 is creating the user profile based on what Facebook returns.
Another possibility is that the user denies email permission when logging in via Facebook. When users authenticate, they are prompted to accept the permissions your app has requested. The user can deny email, so that could also be the cause of this issue.
Solution
To stop these users, use a Rule like the one linked below to detect if it is a social connection based account, and if so, check if there is an email field or not. If not, reject the login if no email is found. This would not stop the user’s profile from being created, as our pre-user registration Hooks / Actions only work for Database and Passwordless connections, but it could at least stop them from being able to complete the login.
The following is another option requiring more work but allowing users to sign up with Social accounts lacking emails. Create a user in a standard database connection with an email address and password and ask the user to sign up with one. Link the Facebook account to the standard database user, with the latter being the primary identity (this is important to get the email associated with the user). When they log in via Facebook, they will be logged into the standard database user, and there will be an email for their account. Refer to User Account Linking.