I would like to know what would be the best place to store user data - member#. In a security context of our application, we consider member# one of PII fields. Now, depending on the member#, application controls the access of different modules. So, should it be stored in user_metadata or app_metadata? FYI, member# should only be added at the time of registration or can be updated by support team only. It cannot be updated by a member.
Another question is how if we store member# in ID token as a claim, can that considered to be a security risk? I am not sure if man-in-the-middle can retrieve ID token or not. But if they can then I will have to use management API to retrieve the user metadata.
There is no functional difference between storing the user data in the app_metadata or user_metadata properties, only a semantic difference.
The difference between app_metadata and user_metadata is that the first should be used for information about the user that is controlled by the application (e.g. the user identifier for a legacy system, or the roles a user has), whereas user_metadata is information that the user can view and control (e.g. user settings, preferences). [Reference: Differences between client_metadata and app_metadata]
This should be fine and is not a security risk as long as the member# is considered non-confidential information. If it is considered condifidential information, then it is not recommended to store this information in the token as a custom claim.
I hope that helps!
Please reach out again if you have any further questions.