Database Configured Multi-Tenancy

matthew.hartz · August 22, 2022, 7:37pm

Hi,

We have multi-tenancy configured at the database level where we have 1 user (stored in auth0) who is configured to multiple tenant along with their roles and permissions stored within our database. Our Auth0 tenant behaves as if there is only 1 tenant (our backend).

We do the roles/permissions validation on our backend.

I was wondering if there is a way to encode the a generated token to include an identifier for which that bearer token will behave on behalf of. Maybe storing the ID as a claim or a scope?

We use dotnet core 5 for this access/bearer token generation.

Thanks!

tyf · August 23, 2022, 12:30am

Hello @matthew.hartz welcome back to the community!

It sounds like storing the ID as a custom claim might do the trick - Please see the following FAQ:

Let us know if you have follow up questions!

matthew.hartz · August 23, 2022, 12:39am

Hi @tyf , is that favorite color passed into the authorize api somehow?

Thanks!

tyf · August 24, 2022, 1:28am

Hey @matthew.hartz! Looking back at the FAQ code, it was missing the reference to the user_metadata - It should be something like:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://myapp.example.com';
  const { favorite_color, preferred_contact } = event.user.user_metadata;

  if (event.authorization) {
    // Set claims 
    api.idToken.setCustomClaim(`${namespace}/favorite_color`, favorite_color);
    api.idToken.setCustomClaim(`${namespace}/preferred_contact`, preferred_contact);
  }
};

Where favorite_color and preferred_contact are added to user_metadata and can then be referenced via the Action.

matthew.hartz · August 24, 2022, 1:57am

Hi thanks for the response. What if that does data doesnt exist in the user metadata? I would like to provide it when requesting authorization.

tyf · August 25, 2022, 9:46pm

No problem, happy to help!

Makes sense Depending on which library you are using, you can add extra params to the authorize call which can be access in the Action with event.request.query (only available in post login action). In auth0-spa-js for example there auth0clientoptions. event.request.query is a part of the event object associated with Actions.

Hope this helps!

tyf · September 9, 2022, 9:46pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multi tenant database behind API, need to identify the user/tenant Help jwt , api	4	8182	December 17, 2018
Multi-Tenant Authorization Questions Help multi-tenant , authorization	2	3692	April 1, 2019
Safety of multi-tenant app and authorization Help jwt , id_token , multi-tenant	1	3262	August 6, 2019
Add Roles/Claims to the access token via Login Flow Help login-experience , new-universal-login-experience	2	273	April 15, 2024
Custom roles in Access token from application Help jwt	11	7577	July 4, 2019

Database Configured Multi-Tenancy

Related topics