Best practices with storing access tokens for SSO with another app on a site?

Hey! I’m trying to set up SSO with another app that will be used on our site and I just wanted to make sure that I’m setting everything up correctly and securely.

Using this plugin, I’m trying to set up SSO with another app (OpenWeb) that will be also be installed on our site. For OpenWeb to use SSO with Auth0, they require an Auth0 access token with the scopes openid read:users read:profile read:email. I’d like this access token to be available once the user is logged in (I’m using Auth0’s hosted universal login page), just so the process can be as frictionless as possible (I’d like to avoid requiring the user to log in twice, etc).

I understand that by default, this plugin doesn’t request those read: scopes, so I will have to hook into the auth0_auth_scope filter to add those extra scopes.

Since the plugin by default does not do anything with the returned access token, I should hook into auth0_user_login to store it in whatever way I decide.

And to keep things secure (as you mentioned in threads like this one), I should hook into auth0_authorize_url_params to add the audience parameter for OpenWeb’s audience (assuming it’s not a problem to have that parameter added all the time, let me know if it’s not).

Do I have this all understood correctly? Is there something I’m missing here? All help is greatly appreciated.