I'm struggling to clearly understand the flow of obtaining user app_metadata after an authenticated user sends a request to my Resource Server with an Access Token.
I've seen previous answers on Stack Overflow, but they didn't clarify things enough.
For example, the information I need to obtain is users organizationId (234) and organizationRole (POWER_USER).
Can this information be loaded on the Access-Token? If not, does this mean that my Resource Server has to call the authorization server (Auth0) each time to check these parameters? B/C I see that the ID token isn't being sent with the request.
Is this the best practice? Doesn't this bring a latency toll to call Authorization Server to check these details on each request?
The easiest way to accomplish this (while limiting the amount of requests needed) is to add the data to the token via a custom claim. This can be done in a Rule if you are using auth0, and there is an example on the doc I linked.