Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Would anyone consider storing a users role and optional additional permissions in the metadata_public a bad idea? IMHO neither is sensitive data, and it saves the API server from having to make two separate API calls to kratos to get those information (first whoami, then identity lookup to get the admin metadata).

We are already doing this internally for a different project. It’s upto your business requirements actually.
<@U04TWTLRCET> 

It would be really nice to have an endpoint which looks up a session by cookie and returns the admin metadata in the same call :wink:

I'm not sure if <@U04TWTLRCET> is sarcastic or not, but /sessions/whoami does exactly that :smirk:

I lied, it's the public one, returning the admin one from the public endpoint would be insanity. However, I would consider the role name to be fairly harmless to put in the public metadata :grin:

Well yeah, what I meant is an admin endpoint which does both in one go. But I think having it in the public metadata is fine.