Hi there.
client_metadata is a multi-purpose key/value hash to store information about an application (i.e. a “client” in OIDC/OAuth2 lingo). You might store, for example, the URL for the application’s home page (a field that Auth0 doesn’t provide by default in the application settings).
You get or set client_metadata either using the clients API (/api/v2/clients/{client_id}) or in the dashboard, in the application’s advanced settings. The client_metadata is stored as part of the application (a.k.a. client) properties.
app_metadata (and it’s close relative user_metadata) are both multi-purpose stores to put information related to a specific user. You use the users API (/api/v2/users/{user_id}) to read or write them. Each user can have different metadata stored in their profile.
The different between app_metadata and user_metadata is that the first should be used for information about the user that is controlled by the application (e.g. the user identifier for a legacy system, or the roles a user have), whereas user_metadata is information that the user can view and control (e.g. user settings, preferences).
More information at Manage Metadata with Rules and Understand How Metadata Works in User Profiles.
Regarding your question about where to store the secret, it depends on the scope of the secret:
- Is it just one secret per application? Then
client_metadatawould be a good place. But if this is the case, you should consider storing the secret directly in the application instead, to avoid putting the secret in the ID token. - Is it the same secret for the whole system (i.e. for all application, or many)? Then the rule’s configuration values might be a better choice
- Is it a different secret for each user? Then
app_metadatamight be better.
Regardless, remember that claims in the ID_Token are not encrypted, so depending on the flow that you use the user might be able to get the token and inspect the contents. So putting a secret in there might not be a good solution.