Hey everyone! Quick question, If a User belongs to a certain Group, and I need this information for each API call, can I add this field (groupId), to the cookie or session somehow? Is this a safe way to go about this?

Hey @clever-book-41220 It could be done, you could modify the identity.metadata_public or identity.metadata_admin to contain this groupId. And since the identity is contained in the session that can be resolved from the cookie ... However, I suppose this group might be used for authorization purposes, right? Like accessing data belonging to this group only. If that's the case there's a risk that the user could be removed from the group but the reference might still be contained in the identity. (Unless wrapping the group modification into a transaction maybe) I would imagine using Ory Permissions instead for a safer design.

Hi @billowy-actor-35983 Thanks for the info! That makes sense, I'll give it a shot. Can a permission check also return a groupId? Since I need that groupId to get: for example all users belonging to a group.

A permission check will only say if permission is granted or not. However, you could use some of the Keto endpoints that are more suited, such as this one.

Thanks for the info @billowy-actor-35983, I'm wondering, with all these features in Ory, do people generally still have a (MySQL or other) database with Users? And who should be responsible for what?