Metadata and ID Token query

Hi,

I would like to know what would be the best place to store user data - member#. In a security context of our application, we consider member# one of PII fields. Now, depending on the member#, application controls the access of different modules. So, should it be stored in user_metadata or app_metadata? FYI, member# should only be added at the time of registration or can be updated by support team only. It cannot be updated by a member.

Another question is how if we store member# in ID token as a claim, can that considered to be a security risk? I am not sure if man-in-the-middle can retrieve ID token or not. But if they can then I will have to use management API to retrieve the user metadata.

Any suggestions are highly appreciated.

Hi @parthp,

Thanks for reaching out to the Auth0 Community!

There is no functional difference between storing the user data in the app_metadata or user_metadata properties, only a semantic difference.

The difference between app_metadata and user_metadata is that the first should be used for information about the user that is controlled by the application (e.g. the user identifier for a legacy system, or the roles a user has), whereas user_metadata is information that the user can view and control (e.g. user settings, preferences). [Reference: Differences between client_metadata and app_metadata]

This should be fine and is not a security risk as long as the member# is considered non-confidential information. If it is considered condifidential information, then it is not recommended to store this information in the token as a custom claim.

I hope that helps!

Please reach out again if you have any further questions.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.