Questions on mixing SPA with API Authentication

Hi all,

I have a bit of an odd use-case, I’m trying to create a dashboard so I can load and examine data from many third party OAuth enabled APIs, and schedule “offline”, time-triggered “jobs” which would access data via the OAuth session. I’ve created an API in Django, and was going to build the dashboard itself in React.

I’ve heard good things about integrating Auth0, so I thought it would be the fastest way to tack on some authentication capabilities to the dashboard, so I could have it hosted on the internet without concerns about data leaking. I’m not sure if it’s because I’m doing something silly, but it has been much, much, harder than I expected to integrate Auth0 properly (specifically, blogs/posts using Redux all use the supposedly outdated auth0.js library; any mention of Django uses the unsupported drf-jwt library, etc.)

As a long time Django user, I am used to keeping all my user data in my own database, but I’d like to try off loading both signup/registration, and log in, over to Auth0. I have already added the Login workflow to the dashboard, and have set up API Authentication sending the Bearer token across and verifying it on the server side.

My questions:

Is there any way for the server side to get more data on the user, such as email? (using the Bearer token only.) - Update: I’ve kinda solve this myself by adding rules to enrich the data sent in the Bearer/JWT token.

Is the ‘sub’ claim consistent, and trustworthy enough to use in the DB for storing users data? (e.g. if the user deletes their account, the ‘sub’ isn’t recycled, if the user changes some user data, like email, the ‘sub’ isn’t regenerated, etc.)

Why is there no “jki” claim or similar? I know it’s optional in the JWT spec, but it’s useful for blacklisting tokens on the server side.

Thanks