so I guess it would be better to have one access token. However, I am also interested to hear about how it might work with two
In either case:
- Enable RBAC for your API settings:
- Create “Admin - Company X” roles …
…and permissions accordingly:
and assign the permissions to the respective roles:
and assign the roles to the user(s) respectively.
When you now request an access token for such user, it will look like this, including the permissions
claim containing all permissions that a user has, due to his roles:
{
"iss": "https://xyz.auth0.com/",
"sub": "google-oauth2|111416312687570061354",
"aud": [
"https://example-api/",
"https://xyz.auth0.com/userinfo"
],
"iat": 1565911095,
"exp": 1565918279,
"azp": "h1eN7l2S4J5U2sVV1hEBsnsXYEIVO7eb",
"scope": "openid profile email admin:company1", // scopes depend on the scopes you requested in the authorize request
"permissions": [
"admin:company1",
"admin:company2",
]
}
Now, in your backend/API you would use either approach:
so I guess it would be better to have one access token.
In this case, just validate the permissions claim in the access token.
However, I am also interested to hear about how it might work with two
In this case, validate the scope claim in the access token. And make sure that when you request a token for a user for a certain company, you only add the respective scope for that particular company in the authorize request, such as admin:company1
. (Ignore the permission claims in the access token, or don’t even include them there.)