I’d like to use Auth0 for API authorization on a multi-tenant SaaS product. Users in the SaaS product can be part of one or many tenants/companies. They should be authorized automatically for first-party clients, but should need consent for 3rd party clients.
What’s the best practice for providing limited access via 3rd party clients to particular companies?
User A (email@example.com)
- Company 1
- Company 2
User B (firstname.lastname@example.org)
- Company 1
Client A - First party Single Page Application (portal.example.com)
Client B - Third party application (extension.anotherdomain.com)
Resource API - api.example.com
How do we allow User A to grant access to Client B to access Company 1 but not to access Company 2?
Out in the wild there seems to be a few approaches to this:
Github approach – Oauth tokens are granted for a 3rd party token. (e.g.
"aud":"http://api.example.com"), but github internally implements an ACL that prevents access to certain Organizations.
Google approach – If you are logged into as multiple users, you choose one user to use for authorization (e.g.
To implement these via Auth0:
- Implement an internal Whitelist/Blacklist for clients (Github approach)
- Set up an audience-per-company approach, registering each new company as a resource owner via the Management API. Implement a proxy as the first step in a consent flow to choose a company, passing along that as the
audienceto the Authentication API. (Google approach)
I’m leaning towards the Github approach, but the user experience isn’t as nice as the Google approach.