Best Practices for Internal User Entity with Auth0

Help
,
1

Hi everyone,

I’m building an app using NestJS for the backend API and React for the frontend SPA. I have integrated Auth0 for user authentication, following the standard approach outlined in the Auth0 documentation—creating an application and API in the Auth0 dashboard. The user is authenticated through the frontend, and an access token is used for API calls to the backend, which works as expected.

However, I have a couple of questions:

  1. I would like to maintain my own internal User entity on the backend for additional user-related data. From my understanding, I should link my internal User entity to the Auth0 user by the sub (subject) value, which I would store as an external ID in my database. Is this the correct approach? Is it common practice to store the sub value as a reference to Auth0’s user, and are there any potential pitfalls I should be aware of?
  2. Regarding when to create this internal user entity—how should I manage this process? Should I be checking for the existence of the internal user entity on each API call and creating it if it doesn’t exist? I’m concerned that doing this for every request could negate one of the primary benefits of using JWTs, which is avoiding frequent database lookups.

I would appreciate any insights or best practices on this approach!

Thanks in advance.

3

Hey Max!

If the user-related data is not sensitive, you can utilize app_metadata inside your user’s profile (see here). This can eliminate the need for another database. But if the data is sensitive, here is some information regarding your questions.

  1. Using sub as the external ID is a good approach, as the sub/user_id is guaranteed to be unique, as mentioned here in the Auth0 docs and from another community post.
  2. If I understand your question correctly, do you want the user who has logged in/signed up also to have an entry inside your database? If so, you can utilize Auth0 Actions to accomplish this:
    • Login / Post Login
      • This action will run after a user authenticates into your application.
      • You can utilize this in the following manner:
        1. The event parameter is used to acquire the user’s sub.
        2. Use it to query your database
        3. If there are no results, then proceed to create this user entity in your database

Let me know if this helps!

1 Like
4

Thank you for the answer.
Regarding using actions. Do you mean I should call my backend endpoint from the action? As actions are being run on Auth0 servers, AFAIK

5

Yes, you should call your backend endpoint from the actions. For example, you can use Axios to make these API calls after installing it as a dependency in actions. Also, it would be beneficial if you reviewed the current limitations of actions here.

Let me know if you have any other questions!