Storing OAuth user info (username, first_name, last_name etc) in local database

Question

I recently implemented Oauth 2.0 (FusionAuth) into my Flask API. Because of the way that I implemented OAuth, I have two separate databases, one for the OAuth server and the other for the Flask API.

Based on this I am wondering what is considered best practice. Should I make calls to the Oauth server every time I need to grab a users info such as username, first_name, last_name etc. or should I store this information in my Flask API database to limit the load on the auth server.

If I were to go with option one, my auth server would have increased load because my API is heavily dependent on user info as it is being used as part of a social media platform.

If I go with option two, I reduce the load on the auth server, but I would have to update two different databases if a user were to change their first_name or last_name (rarely happens).

Answer 1

USER DATA DESIGN

Typically you need a small amount of user info in the Authorization Server, namely these fields:

• Given Name
• Family Name
• Email

All other user data is best stored in the Application / Product, where it is easier to change and you can easily do SQL queries on it.

The above OAuth fields in effect become read only in your product schema. When they change in the Authorization Server you need to update your product data.

MATCHING OAUTH USER DATA TO PRODUCT USER DATA

This can be done after login in your API by matching the token's sub claim or the User Info's email claim to your Product User Data. If there are changes then keep the Product User Data. This process can involve the API calling the User Info endpoint.

RESOURCES OF MINE

• User Data Management discusses some details on user matching
• API Authorization Design discusses some mechanics around claims handling