Our backend service requires user context (id, email) to be passed with each API call. Before auth0, we had our own account service that generated JWT token which encoded the user context. This JWT was verified by the API end points to extract the user context.
We’re now trying to use Auth0 (login with Github only) where we obtain the access token from Auth0 that is now passed to the API endpoint. The accessToken contains a sub field with a value like “github|1234567890”.
Is there a way to get an accessToken with sub value set to user context ?
Typical application flow is as follows
- Application logs in using Github credentials
- Auth0 provider providers Github user details.
- We lookup our own user database using email address fr the Github user and create a new user if required.
- After this point, the user can access our API endpoints.
- The API endpoint would rather deal with our notion of the user instead of the Github user.
One solution is that the user context can be sent outside the accessToken (i.e. user context need not be encoded in the accessToken). And yes, the requests are secured by HTTPs. I am wondering if this still a secure practice?