Metadata schema design

Anyone out there interested in a discussion about [user|app]_metadata schema design? For our initial forays into Auth0 we’ve mostly been (not) designing our metadata schema, with the expected results, and recently I’ve started working on cleaning this stuff up. I am by no means an expert so I’d be curious to see what others have done. My initial thoughts involve something like the following:

  • Application specific data should be stored in an application specific database, not in Auth0.
    • Nonetheless, we include room for application specific data in both user_metadata and app_metadata.
  • The structure below each application node is not defined (left up to the development team)
user_metadata: {
  global_attribute_1: "",
  global_attribute_2: [],
  global_attribute_3: {},
  applications: {      # user editable application specific data
    application_1: {},
    application_2: {},
    application_3: {},
  }
},
app_metadata: {
  global_attribute_1: "",
  global_attribute_2: [],
  global_attribute_3: {},
  permissions: {      # application specific roles, groups, scopes, etc
    application_1: {},
    application_2: {},
    application_3: {},
  },
  applications: {       # application specific data, not user editable
    application_1: {},
    application_2: {},
    application_3: {},
  }
}

This is a great idea.

Pending a future incarnation of the Authorization Extension, whatever that might look like, we’ve updated our metadata schema to mimic the authorization object that the authz extension uses as our permissions object. The previous model would likely have resulted in a lot of duplication.

We also have an internal user data hub so, while we are defining a formal schema for our user_metadata, our intent is to pull most of that information from the hub on demand. In general we are trying to minimize what we store in Auth0, yet storing data in Auth0 when that makes the most sense.

This is what we are going with now:

user_metadata: { 
    global_attribute_1: "", 
    global_attribute_2: [], 
    global_attribute_3: {},
    applications: { # user editable application specific data 
        application_1: {},  # object structure defined by developers
        application_2: {},  # object structure defined by developers
        application_3: {},  # object structure defined by developers
    } 
}, 

app_metadata: { 
    global_attribute_1: "", 
    global_attribute_2: [], 
    global_attribute_3: {}, 
    permissions: { # roles, groups, scopes, etc for RBAC
        groups: [], 
        roles: [], 
        scopes: [], 
    }, 
    applications: { # application specific data, not user editable 
        application_1: {},  # object structure defined by developers
        application_2: {},  # object structure defined by developers
        application_3: {},  # object structure defined by developers
    } 
}