As you’re using onAuthorized, it looks like you’re attempting to do this on the client side? You can’t create tokens client side as that would mean exposing your secret which would be a huge security breach.
You should only be creating tokens on your EBS, and the user_id in the JWT isn’t “the userId from before”, it’s the id of the extension owner.