Hi I need a bit of advice. I’m the maintainer of a new Open Source project: ApiOpenStudio, and I’m upgrading the codebase ATM to use JWT tokens instead of the custom token stored in the DB (I know, even though it’s a short-lived token, that is not secure!).
So far, I have implemented generation and validation of the tokens in the API itself. But I also want to take into account enterprise scale users who utilise a separate or 3rd party authentication service. Ideally, I want to not have to make any DB calls to validate the user against role permissions, so implicit grant would be ideal here. I’m still researching into how this works and whether it requires custom claim values.
My main question is how easy is it to integrate user data like UID or roles into claims in a JWT token? Will I be making it difficult for users to integrate their base users data into 3rd party systems like here? How have people solved similar issues? Like integrating Auth0 with a remote custom DB?