I’m struggling to clearly understand the flow of obtaining user app_metadata
after an authenticated user sends a request to my Resource Server
with an Access Token
.
I’ve seen previous answers on Stack Overflow, but they didn’t clarify things enough.
For example, the information I need to obtain is users organizationId
( 234
) and organizationRole
( POWER_USER
).
Can this information be loaded on the Access-Token
? If not, does this mean that my Resource Server
has to call the authorization server ( Auth0
) each time to check these parameters? B/C I see that the ID
token isn’t being sent with the request.
Is this the best practice? Doesn’t this bring a latency toll to call Authorization Server
to check these details on each request?