Database Configured Multi-Tenancy


We have multi-tenancy configured at the database level where we have 1 user (stored in auth0) who is configured to multiple tenant along with their roles and permissions stored within our database. Our Auth0 tenant behaves as if there is only 1 tenant (our backend).

We do the roles/permissions validation on our backend.

I was wondering if there is a way to encode the a generated token to include an identifier for which that bearer token will behave on behalf of. Maybe storing the ID as a claim or a scope?

We use dotnet core 5 for this access/bearer token generation.


Hello @matthew.hartz welcome back to the community!

It sounds like storing the ID as a custom claim might do the trick - Please see the following FAQ:

Let us know if you have follow up questions!

Hi @tyf , is that favorite color passed into the authorize api somehow?


Hey @matthew.hartz! Looking back at the FAQ code, it was missing the reference to the user_metadata - It should be something like:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = '';
  const { favorite_color, preferred_contact } = event.user.user_metadata;

  if (event.authorization) {
    // Set claims 
    api.idToken.setCustomClaim(`${namespace}/favorite_color`, favorite_color);
    api.idToken.setCustomClaim(`${namespace}/preferred_contact`, preferred_contact);

Where favorite_color and preferred_contact are added to user_metadata and can then be referenced via the Action.

Hi thanks for the response. What if that does data doesnt exist in the user metadata? I would like to provide it when requesting authorization.

No problem, happy to help!

Makes sense :slight_smile: Depending on which library you are using, you can add extra params to the authorize call which can be access in the Action with event.request.query (only available in post login action). In auth0-spa-js for example there auth0clientoptions. event.request.query is a part of the event object associated with Actions.

Hope this helps!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.