To follow up on my own questions:
This answer pointed me in the right direction: Instead of
audience: 'https://tentant.eu.auth0.com/userinfo' I added audience: 'api' (which is the name of the custom API I added in the Auth0 console.
This results in receiving a proper JWT for the accessToken, instead of a short string.
I updated the rule to:
function (user, context, callback) {
const namespace = configuration.METADATA_NAMESPACE;
context.idToken = context.idToken || {};
context.accessToken = context.accessToken || {};
user.app_metadata = user.app_metadata || {};
user.user_metadata = user.user_metadata || {};
context.idToken[ namespace + '/user_metadata'] = user.user_metadata;
context.idToken[ namespace + '/app_metadata'] = user.app_metadata;
context.accessToken[ namespace + '/local_id'] = user.app_metadata.local_id;
callback(null, user, context);
}
This seems to work properly. The local_id is added to the access_token.