Question: Do I still need a user database? What user data should be stored in user_metadata and app_metadata?
It is often advantageous and necessary to have a dedicated user database in addition to the Auth0 data store. Data stored by Auth0 should be related to the authentication/authorization process. As noted in the Store User Data doc:
"For example, you could have a Users table that lists each user authenticated by Auth0. Every time a user logs in, you could search the table for that user. If the user does not exist, you would create a new record. If they do exist, you would update all fields, essentially keeping a local copy of all user data.
Alternatively, you could store the user identifier in each table/collection that has user-associated data. This is a simpler implementation suited to smaller applications."
This configuration allows you to have full access to all of your user’s data and simplifies what is requested during authentication.