Just when you said “those details could be used to make authorization details” , if a user change his email , it could be an impact with authentication ?? the token will be expired ?
The token is stateless and will not expire if profile data changes. Let’s say we had a rule that would allow a scope to be added if the user.roles array contained admin. If we issued a token to a user that allowed them to update:users we effectively have given the user a token that has enough power to change their authorization policy. This is not desirable. By design user.user_metadata is allowed to be editable by the user. Any data in there should not influence authorization decisions. In other words we don’t want the user to be able to define their own authorization policies.