Using InternalData in Auth type


I am working to enhance an existing authentication plugin. Just curious if there is any guidelines on “DO and DONT on using InternalData” in struct Auth (package logical). For example, will that information be logged and/or exported for use in auditing? For example, if the authentication plugin generates an OAuth token for other uses, is it a bad idea to store the OAuth token there?

Follow-on questions:
How about the field Metadata in struct Alias?