I’m currently implementing Auth0 to provide auth to many microservices. Including a ‘UserService’ that holds non-auth related data about each user.
Some of the other microservices need a user identifier to apply authorization - I don’t want to use the Auth0 id for this because I don’t want to rule out authenticating via other methods in the future, also it’s my understanding that the same user could authenticate with Lock via Google / another identity provider and end up with a differed ‘sub’ claim in their token. Ideally I want users to be able to login through Auth0 via any identity provider and still access the same user account on our side (if they choose to).
It would be great if we could put our own user_id inside the JWT access_token issued by Auth0 so I don’t need to be always calling the UserService to look it up when the JWT is validated.
I’ve read that this can be achieved via ‘post-registration’ hooks, so every-time a user registers via Lock, it creates that user in our UserService (via HTTP POST?), then attaches the user_id returned to the app_metadata for inclusion in future access_tokens…but what if they login via Google / Facebook where a ‘registration’ doesn’t really happen?
Would this also work with ‘pre-registration’ hooks? I’m concerned that if user registers as part of a flow, the asynchronous nature of the ‘post-reg’ hook might not have been completed by the time they are redirected to the service that requires the user_id to be present in the JWT.
What’s the recommended way to achieve this?
Sorry for all the questions! Thanks!