Generally speaking, regardless of the specific technology, the authorization decisions of your application should be based on the information defined by your authorization model.
This information can come from a variety of sources (access token, database, runtime environment, etc.)
If you rely on the access token, it should allow you to retrieve the information you need (the user ID, in your case). For example, JWT access tokens issued by Auth0 include the user ID (sub claim).
More in general, if you need other information to make your authorization decisions, you can enrich the access token with custom claims by using Auth0 Actions.
1 Like