Quick question - I’m using the Authorization Extension, and extending the auto-generated rule after it’s configured with this
var namespace = 'MY_NAMESPACE'; context.accessToken[namespace + 'group'] = data.groups;
with MY_NAMESPACE being replaced with the namespace I’m using.
Is there any security concerns with adding the user’s group data to the access token instead of metadata? Maybe it’s just because I’m not too sure how to use metadata from my custom Express backend but it’s really easy this way for me to authenticate a user via access_token from my SPA and allow/disallow access to routes/CRUD methods based on what group they belong to.