Thanks @jmangelo for your kind response. Expanding a bit…
- Self-hosted database
- Backed by Auth0, specially the
user_metadata attributes from the Auth0 user profile.
- Self-hosted API
- Directly from Auth0
We will consider hosting a database out of scope and constrain to Auth0-persistence.
Auth0 x Call from client
The Authentication API end-point userinfo endpoint does not support
app_metadata retrieval directly.
- Violate OICD conformance and include
app_metadata in the
id_token with a rule.
Will also need to uncheck compliance in the client (Client --> Show Advanced Settings --> OAuth)
- Have the client call the Auth0 Management API directly from the SPA (single page application). The appropriate Management API end-points are get_users_by_id and patch_users_by_id. As this is user clients hitting the management API, it is imperative to apply the principle least privilege! NB: For updating information there is a community supported widget, auth0-editprofile-widget, mentioned in Auth0 user profile details.
Auth0 x Self-hosted API
If you prefer to violate neither OICD conformance nor have user clients access the management API directly, there are options.
One is to create a thin API-proxy. The proxy takes user
access_tokens with a developer defined scope, e.g.
read:user. The backend, then uses the get_users_by_id to hit the Auth0 management API. Auth0 client credentials stay on the backend, within my control, instead of being available to the end-user client.
Setting and retrieving
user_metadatais a common developer task. It shouldn’t be this difficult. I really don’t want to proxy request from end-user client --> auth0, nor do I want end-user clients hitting the Auth0 management API directly. If I’ve missed something, pointing out a better solution would be awesome.
Otherwise, please add OICD conformant user info retrieval as a backlog item.
Just tossing out some ideas…
One option would be to simply allow
app_metadata as query params on the Authentication API userinfo end-point using a similar query style as the Management API, i.e.
Another option, would be a separate
PUT verb end-points (Authentication API) for accessing metadata.
For more of my thoughts on Auth0 as a vendor, see article on HackerNoon.