Three questions about user management from my backend and Auth0

After finally figuring out how to get a JWT token from Auth0 to work with my Spring backend, the next thing I’d like to figure out is user management from my backend.

There are a few questions I had in mind:

• What is the most reliable identifier to use from the claims for tracking users in my own backend database? My backend needs to tie entity ownership with my authenticated/authorized users. I was thinking of using “sub” and “email” (from userinfo endpoint) both.

• Is it ideal to use the Management API from my own backend to handle roles & groups? I want to create groups with different attributes including ownership by one or more users, etc. - things I don’t think Auth0 groups support. Is it better that I just maintain my own on my backend, especially if I need to maintain my own app-related roles/permissions, associations, etc.? If I use Auth0 for this, then I’d need to know when it updates from Auth0’s end (i.e. user deletes their account) and so on and I feel that will complicate things.

• What is the difference between using Users/Roles in the normal dashboard and using the Authorization Extension? The only difference I noticed is that the extension has groups, but the dashboard management doesn’t.

1. Reliable Identifier for Tracking Users: Auth0 recommends two options to uniquely identify your users:

   • The user_id property: This is guaranteed to be unique within a tenant per user.
   • A natural key, like the email property: In this case, it is recommended that you enable email verification¹.

   However, the user_id field has an undefined length due to the variable length of any identity provider/connection name. This implies that the only appropriate SQL data type for user_id would be TEXT which cannot be indexed. If you limit the identity providers to only “Auth0” (5 characters), the character length of user_id is not known.

2. Management API for Handling Roles & Groups: Auth0 Management API provides various functions to help you manage your roles. You can create roles, edit role definitions, add permissions to roles, remove permissions from roles, view role permissions, view role users, and delete roles. However, if you need to maintain your own app-related roles/permissions, associations, etc., it might be more straightforward to maintain them on your own backend.
   Manage Role-Based Access Control Roles

3. Difference between Users/Roles and Authorization Extension: The Authorization Core feature set and Authorization Extension are completely separate features. With the Authorization Extension, roles and permissions are set on a per-application basis. If you need the same roles or permissions on another application, you’ll have to create them separately. Conversely, the Authorization Core feature set provides much more flexibility with roles and permissions. The Authorization Extension provides support for user authorization via Groups, Roles, and Permissions, while the dashboard management doesn’t.