You can customize the user signup form with more fields in addition to email and password when using Lock or the Auth0 API. There are many factors to consider before you choose Lock vs. Custom UI. For example, using Lock, you can redirect to another page to capture data or use progressive profiling. When using the Auth0 API, you can capture custom fields and store them in a database. There are certain limitations to the customization that should be considered when choosing the method that best suits your purpose. Some typical customizations include adding a username and verifying password strength.

Universal Login recommended

Auth0 offers a Universal Login option that you can use instead of designing your own custom login or signup pages, or using those that are embedded in any of the Auth0 libraries. If you want to offer signup and login options, and you only need to customize the application name, logo and background color, then Universal Login might be an easier option to implement.

Using Lock

Lock supports custom fields signup. Lock’s additionalSignUpFields option will only work with database signups. For signups using social , collecting these fields in the same manner is not possible with Lock, but there are two other options to allow social IDP signups with Lock while still collecting additional custom fields.

Redirect to another page

One way to use social provider signups with Lock and collect custom fields is to use redirect rules to redirect the user to another page where you ask for extra information, and then redirect back to finish the authentication transaction.

Progressive profiling

Another way to collect custom field data when signing users up with social providers is via progressive profiling whereby you can slowly build up user profile data over time. You collect the bare minimum details upon signup, but when a user later interacts with your app, you collect a small amount of data (perhaps one question) each time until their profile is complete. This allows you to collect the desired information but with less friction, since the goal of using a social IDP for signup is making it more effortless and streamlined for the user.

Using the API

Create a signup form to capture custom fields

The name is a user profile attribute and color is a custom field. There is currently no way to validate user-supplied custom fields when signing up. Validation must be done from an Auth0 Rule at login, or with custom, server-side logic in your application.

Send the form data

Send a POST request to the /dbconnections/signup endpoint in Auth0. You will need to send:
  • Your application’s client_id
  • The email and password of the user being signed up
  • The name of the database connection to store your user’s data
  • Any user profile attribute you want to update for the user, which can include given_name, family_name, name, nickname, and picture.
  • Any custom fields as part of user_metadata

Custom fields limitations

When your users sign up, the custom fields are sent as part of user_metadata. The limitations of this field are:
  • user_metadata must contain no more than 10 fields
  • user_metadata.field must be a string
  • user_metadata.field.value.length must be fewer than 500 characters
  • user_metadata.field.length must be fewer than 100 characters
  • The current size limit for user_metadata is 16 MB

Redirect mode

After a successful login, Auth0 will redirect the user to your configured callback URL with a (id_token) in the query string. Your server will then need to call APIv2 to add the necessary custom fields to the user’s profile.

Add username to the signup form

One common signup customization is to add a username to the signup. To enable this feature, turn on the Requires Username setting on the Connections > Database section of the dashboard under the Settings tab for the connection you wish to edit. Capture the username field in your custom form, and add the username to your request body.

Optional: Verify password strength

Password policies for database connections can be configured in the dashboard. For more information, see: Password Strength in Auth0 Database Connections. If required for implementation of custom signup forms, the configured password policies, along with other connection information, can be retrieved from the Management v2 API. The result can be parsed client-side, and will contain information about the current password policy (or policies) configured in the dashboard for that connection.