I’m using a post-login Auth0 action to call my application backend, passing the Auth0 internal user_id in the body
My backend returns the corresponding database_user_id (the ID for this user in our database)
Then I add both the Auth0 internal user_id and database_user_id as custom claims in the access token:
// Auth0 post-login action
// .. call our backend
if (response.data.database_user_id) {
api.user.setAppMetadata("database_user_id", response.data.database_user_id);
api.accessToken.setCustomClaim("https://myapp.com/database_user_id",
response.data.database_user_id);
api.accessToken.setCustomClaim("https://myapp.com/auth0_user_id", event.user.user_id);
} else {
api.access.deny()
}
The reason is that I can then ensure the token is valid in our backend middlewares, and also easily extract the user_id and database_user_id
But I’m wondering if this is safe to do?