Full App Embedding Using JWT SSO

Hello all,

I am working on doing a full app embed of metabase into an existing Django application using jwt. This is working; however it seems there is no validation of the content of the JWT other than the email address, and I thought the validation of the JWT would include the first_name, last_name, groups, and any custom attributes that were associated with the user in metabase.

I am concerned the JWT approach is a security concern if only the email address is validated in the JWT. My question is is anyone else dealing with this concern and what approaches are being taken to secure the SSO connection between the Application and Metabase when doing the full app embed?