I’m tasked with doing research on authentication in an upcoming project at work.
I’ve played with a free Auth0 for some time and it seems great but I have some reservations my proposed workflow.
I realize one of the benefits of presenting JWT tokens to a protected resource is removing the need to contact authentication server on each request, but how does one deal with claims that can update between requests? (roles, first/last name, etc.)
Currently my frontend is treating the id token as proof of authentication only (not reading any of the claims presented in it) and by using the access token, my API retrieves a full user profile + roles, using the Management API to do so.
My concern is the documented rate limits of the Management API as each request to my API in this scheme will invoke a call to the Management API. Initially, there will be a very limited set of users (~10 concurrently), but I fear of getting rate throttled as the user base scales.
Are my concerns valid and if so, is JWT authentication perhaps not the route to go for my authentication/authorization needs?