Our application is multi-tenant which has proven to be a bit of a challenge with Auth0. I think we’ve got it working now using the new Authorization Core RBAC stuff which is great, but the way we implemented roles makes me wonder if we’re set up to have a problem in the future, so wanted to ask people here who might know!
The challenge with multi-tenancy in Auth0 is there’s really no way to tell which tenant(s) a user belongs to. Our solution has been to prepend a tenant abbreviation to the roles for that tenant - like
TNT01.readonly_user. The challenge with this is that our “normal” 6 roles get repeated over and over for each tenant. Our application is (now) able to manage these so it’s not too big of a problem, but I am curious how well Auth0 will handle the number of roles as they grow to hundreds and thousands. Doesn’t seem scary per se, but I don’t want to find out later that I’ve been digging a hole in which to bury us!
I thought about using
user_metadata for Tenant assignment, but really I need to know tenant roles at the same time so there’s not much point in doing it outside the “proper” RBAC channels.