I’m not sure what the intended practice is for custom claims. It seems that I’m supposed to create a rule that adds them to the access token. The example creates a claim from the user profile, but what if I need to retrieve those claims from one or more application servers? Do I just write that call to the server from the rule and then use the response to load the access token? If so, I’d want that application server to be protected as well so is the auth token available in the context somewhere so that my fetch request will work? Does fetch even work in the context of a rule?
You can write arbitrary code in a rule, meaning that you can setup any way of server-to-server authentication between the rule (Auth0 server running it), and your external server that provides the additional data to augment the claims of a token. For that purpose, you would need to register the external servers as APIs in Auth0, and then you can use the Client Credentials Grant.
However, it’s risky to pull data in real time from a third party during the authentication process. In the best case it will add delay to the authentication flow. In the worst case, those servers are down, and your users are completely locked out of their accounts, unless you gracefully handle a lack of response from the server.
If you are in complete control of these other servers, and the purpose of connecting to them during authentication is to get the latest version of the claims, what if you instead push the data from the servers and into Auth0, storing it in the User’s app_metadata as soon as it changes? This would also allow you to have a single source of truth at all times, instead of having to connect to different sources to know exactly what claims a user should have.