Hey Gabo, many users take this approach. It’s fair that Auth0 can’t answer whether this approach is secure since it involves a synchronization with FaunaDB that involves FaunaDB tokens/keys which they can’t really judge on.
Hence, I’m going to try and help. The part that actually matters is whether it’s safe to place a powerful FaunaDB key (one that can create users and optionally tokens) in an Auth0 rule. We can assume that that is safe since those are executed on a secure environment provided by Auth0.
Users/writers (e.g. https://www.smashingmagazine.com/2020/06/static-sites-jamstack-apps-faunadb/) are in each case using rules to sync FaunaDB users with Auth0 users. That’s fine but a bit cumbersome, especially in case you want to delete users later on.
In this particular case, he is indeed using the ID token as a way to send a FaunaDB secret to the frontend. Many companies have different opinions on how to use ID tokens/self-contained access token and it is often frowned upon but I’m not here to express an opinion about that. Since you are sending that ID token over https and since that secret will be anyway used by your frontend I do think security-wise this is just as secure as placing a secret in the frontend in any other way (but I’m not a security expert).
The other and better way would be to have a partial backend to handle that flow and/or only place the email of the user (if it’s not already) on that ID token and create the FaunaDB token in the backend by validating a token (ID or access, typically if it’s for the backend I think Auth0 recommends using an access token but correct me if I’m wrong @mathiasconradt ), looking up that user via the email and creating a token for it. Which you can easily do in a serverless function. If you then choose to access FaunaDB from the frontend (you can do so if you apply the right security roles) you can still forward that Fauna token to the frontend and you gain the advantage that you could store information to refresh the user in a httpOnly cookie.
We are currently implementing examples and aim to release features that allows easier integration with an identity provider like Auth0. I know that this answer leaves a lot of gaps but I did want to give you some sort of answer in the meantime.