I am trying to implement an RBAC solution for our users.
I am currently trying to understand how our servers (microservices) should handle users, and I have a few questions. Ideally, I would like the Access Token to hold as much of the user info as makes sense so every service wouldn’t have to query for the user info (which would add latency), but I can’t seem to be able to do that. so with that said, here are my questions:
- If I am using an obfuscated Access Token, should every service validate and get the user details from Auth0?
- If I am adding an audience field to the authentication, I saw that I am getting a JWT Access token, which I think would be better, but I don’t get how I can add custom claims to it… can I?
- In the JWT Access Token, I understand the
scopesclaim and the
audclaim, but what is the
permissionsclaim? can I use it for what I want?