Architecture for implicit grant and user id

Hi I need a bit of advice. I’m the maintainer of a new Open Source project: ApiOpenStudio, and I’m upgrading the codebase ATM to use JWT tokens instead of the custom token stored in the DB (I know, even though it’s a short-lived token, that is not secure!).

So far, I have implemented generation and validation of the tokens in the API itself. But I also want to take into account enterprise scale users who utilise a separate or 3rd party authentication service. Ideally, I want to not have to make any DB calls to validate the user against role permissions, so implicit grant would be ideal here. I’m still researching into how this works and whether it requires custom claim values.

My main question is how easy is it to integrate user data like UID or roles into claims in a JWT token? Will I be making it difficult for users to integrate their base users data into 3rd party systems like here? How have people solved similar issues? Like integrating Auth0 with a remote custom DB?

You can easily add custom data to the id and access tokens with actions. Here is an example of adding roles to the tokens after login:

https://auth0.com/docs/actions/triggers/post-login#add-user-roles-to-tokens

You can also add custom data to the user’s profile in auth0 by adding it to metadata. Here is more info on it:

Integrating with a custom database is a common use case:

JWT tokens, being signed and verifiable, will allow you to validate without a call to your DB.

Implicit flow is simply a way to transact with a public client that can’t store a secret. We would recommend using the auth code + PKCE flow for browser-based public clients like SPAs instead of implicit (it’s the more modern flow).

Many thanks Dan,

I’ll go through those links you’ve passed on. Those should give me enough info to make a plan on how to refactor ApiOpenStudio for security, speed and different user’s requirements

No problem. Let us know if you have any questions.