Hey there @SpencerWF welcome to the community!
These are all great questions! I usually point to our architectural scenarios documentation first and foremost to serve as high level overview.
-
In an Auth0/OAuth/OIDC context this is all done via tokens (ID/Access).
-
Typically, this is added as a custom claim to a user’s ID and/or Access token, something like:
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'https://example.com';
api.accessToken.setCustomClaim(`${namespace}/app_metadata`, event.user.app_metadata);
api.idToken.setCustomClaim(`${namespace}/app_metadata`, event.user.app_metadata);
//additionally, user metadata
api.accessToken.setCustomClaim(`${namespace}/user_metadata`, event.user.user_metadata);
api.idToken.setCustomClaim(`${namespace}/user_metadata`, event.user.user_metadata);
};
Some more on custom claims and metadata.
- You can certainly go the rule/action route - That is, inspect the user profile on login for some some of reference to your external DB, and if it does not exist then make the necessary calls to your backend.
Alternatively, you could use the ID token returned in the initial authentication exchange to create the user in your DB. Here’s a similar topic which should help:
- You should be able to avoid a call the Management API altogether if you use the ID Token as mentioned previously.
Hopefully this helps clear things up a bit!