We have multi-tenancy configured at the database level where we have 1 user (stored in auth0) who is configured to multiple tenant along with their roles and permissions stored within our database. Our Auth0 tenant behaves as if there is only 1 tenant (our backend).
We do the roles/permissions validation on our backend.
I was wondering if there is a way to encode the a generated token to include an identifier for which that bearer token will behave on behalf of. Maybe storing the ID as a claim or a scope?
We use dotnet core 5 for this access/bearer token generation.
Makes sense Depending on which library you are using, you can add extra params to the authorize call which can be access in the Action with event.request.query (only available in post login action). In auth0-spa-js for example there auth0clientoptions. event.request.query is a part of the event object associated with Actions.