Embedding User Group info (Authorization Extension) in access token for API use

Quick question - I’m using the Authorization Extension, and extending the auto-generated rule after it’s configured with this

var namespace = 'MY_NAMESPACE';
context.accessToken[namespace + 'group'] = data.groups;

with MY_NAMESPACE being replaced with the namespace I’m using.

Is there any security concerns with adding the user’s group data to the access token instead of metadata? Maybe it’s just because I’m not too sure how to use metadata from my custom Express backend but it’s really easy this way for me to authenticate a user via access_token from my SPA and allow/disallow access to routes/CRUD methods based on what group they belong to.

From a security perspective you should be covered because the issued access token will be validated by the API so it will know it can trust the group data associated with the token. However, including it in the token means that group information will be hardcoded for the lifetime of the access token (if the groups change the already issued access tokens won’t reflect that) so you have to review the approach not so much due to security consideration, but more from a functional perspective.

Interesting, thanks for clarifying!

Interesting, thanks for clarifying!