I’m struggling to clearly understand the flow of obtaining user app_metadata after an authenticated user sends a request to my Resource Server with an Access Token .
I’ve seen previous answers on Stack Overflow, but they didn’t clarify things enough.
For example, the information I need to obtain is users organizationId ( 234 ) and organizationRole ( POWER_USER ).
Can this information be loaded on the Access-Token ? If not, does this mean that my Resource Server has to call the authorization server ( Auth0 ) each time to check these parameters? B/C I see that the ID token isn’t being sent with the request.
Is this the best practice? Doesn’t this bring a latency toll to call Authorization Server to check these details on each request?