Menu
Upon receipt of a valid Access Token, is it considered best practice to invoke a call to the userinfo endpoint, and retrieve user metadata, for each subsequent call to your application, or should the call to userinfo instead be invoked once, and the user metadata response stored in, for example a cookie, such that subsequent requests read user metadata from the cookie as opposed to invoking a call to userinfo for each request.
395
In the end it depends on the use case:
In the average consumer use case the user info endpoint would provide information that rarely changes and it would be a safe assumption to cache the information. In some enterprise use cases however, the user info endpoint may provide information that is used for real time access control decisions in which case it may not be wise to cache the information, or at least not for long.
But your client may not even depend on data that changes e.g. if the only thing it uses is a persistent identifier (sub) and given_name/family_name claims. Then even if there's other data returned from the user info endpoint that may change over time, your client would not bother and rather cache sub, given_name and family_name without calling the user info endpoint again.
Also, claims may also be returned as part of the id_token (e.g. incl. first_name family_name) which may be sufficient for some use cases so there is no need for calling the user info endpoint at all.
In summary: it depends on type of information returned from the user info endpoint, the client requirements on the information and the information already available in the id_token.
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
