I don’t think it’s fully wrong, but it’s definitely not a best practice.
-
For starters, you’re completely throwing out a couple of OIDC features. For instance, you’re giving up the normalized user profile Auth0 provides, which you would get if you were to use scopes like
email,profile,addressandphone. -
There’s also the issue of oversharing: do you really want the user (because they’re capable of viewing and decoding the ID token) to see literally everything in their profile?
-
You run into the risk of making your token too big. The token is sent back to your app as a URL hash and that means you can run into the maximum URL length. You wouldn’t be the first: The generated token is too large - #2 by jmangelo
So, I’d say for those three reasons (not in the spirit of OIDC, oversharing and risk of an oversized token), I wouldn’t advice it. But again… it’s a bit of a grey area.
Anyone else with more experience (or, fingers crossed, an Auth0 employee) who can help out here?