We are working with an app that the current setup has every tenant with their own subdomain for example tenant1.myapp.com, tenant2.myapp.com. If we were to use Auth0 on this, how would we setup the clients and connections?
On top of that, some users could be in multiple tenants. I have looked at the documentation about putting this in the app metadata like.
{
“tenant1”:{
“role”:“admin”
},
“tenant2”:{
“role”:“user”
}
}
What other considerations do we need to take for our account and how to best set this up? Our concern would be just maintaining the number of tenants which is close to a thousand. About 5k activate users
So the key questions:
- Is it best to have 1 database and 1 client?
- Should we break individual tenants into their own databases? How does this affect cost?
- Any other concerns about users that can log into multiple tenants?
We have implemented multi-tenancy like this.
- If you use multiple clients, you will need to create these and databases (auth0 or custom) dynamically, retrieve and store all the various keys and Ids, then connect to individual tenants using this information. I don’t think this overhead is necessary and believe 1 database and 1 client will be best.
In recent times, creating new clients, confirms to different standards, for instance Client created after a certain date behave differently (without notification) So you may find that your integration breaks without warning, for this reason I would also stick to 1 client.
- I don’t think there is a limit on the number Auth0 databases/connections? It may be additional cost to run your own/custom database, sure of the overhead and cost for that.
- When user info is retrieved, you will need to pull/translate any metadata into claims using a “rule” on your Auth0 account. We store the basic things like TenantId, Role etc, return these as claims then within our app manage additional/internal claims based on roles. If you are using this for single sign on, you may need to store all your claims in the metatdata to share with other apps.
Impersonation is a handy feature, but not sure how that works across Clients?
Hope this helps.