What is the typical best practice for associating a user with a customer account. For example, when the user logs in, they get back the access token. Within that access token, it will have scopes such as crud:calendar. While i trust that this user has permission to now perform CRUD operations on the calendar, I only want to allow them to perform CRUD operations on the calendar that is associated to their account.
What would be the general best practice for doing this? I could add customer account id to the scope…But I want to get what the general best practice would be.
For an access token issued as part of an end-user authentication flow the sub claim contained by default will have the user identifier of the relevant user so you can use that information to track user-specific resources.
The value on the sub maps to the user_id within the user profile so the reference docs for user identifier also apply to this scenario (Identify Users).
Thanks @jmangelo. I understand the value of sub matches the user ID. I would also like to include the account id that the user is part of. I assume that the place to put this would be in app_metadata?