This is pretty much how you’d do it. Users of the Authorization Extension are already used to this: the extension generates a rule in your Auth0 tenant that makes an API call to the extension every time a user logs in to get the groups, roles and permissions for that user.