I have a spring boot application with multiple rest end points. These end points are accessed from multiple Angular UI application. Each Angular UI application has its own tenant set up in auth0. What would be a good approach to support access token generated from any tenant for accessing rest end points of spring boot application? I should be able to verify the access token generated from any tenant.
I was going through the spring boot auth0 example.
JwtWebSecurityConfigurer mentioned in spring boot example only takes a single audience and issuer. How should we configure it for multiple audience and issuer?
Also what would be the best design to handle this scenario?
We are also trying to solve this problem. To solve one of the problems your having with multi-tenant auth, ie authenticating between applications, we used a cache layer that ‘knew’ about each clients client_Id, secret or RSA256 endpoint.
So that if either TenantA_ClientA or TenantaB_ClienB produced a token, the receiving API ‘knew’ about them in our cache layer and could authenticate and or authorize.
Im not familiar with spring, but our C# WebApi app there were some overrides that allowed multiple audiences and issuers. However, we skipped all that and used a built in hook, that allowed us to do a lookup on the audience and issuer that was on the incoming token, so effectively doing a dynamic lookup.
Thanks a lot for sharing that knowledge!