We have multiple customers, each of whom could have multiple hostnames or app access points. Each user will have one set of roles for each domain, but could easily have different roles on different domains.
This is an extension of the question asked in this post
Ours is analogous to a school where a user A is both a teacher and a parent and can log in to the app at staff.myschool.edu and access all the teacher functionality then later log in to parent.anotherschool.edu to check their child’s grades. Same login, but different user experience depending on where you access the app.
I’m planning on using the app_metadata property of the user to store roles for each domain and then processing it inside an Auth0 rule. The choice of root key for the app_metadata array seems to be critical:
- The properties of the new object will replace the old ones.
- The metadata fields are an exception to this rule (user_metadata and app_metadata). These properties are merged instead of being replaced but be careful, the merge only occurs on the first level.
I’m hoping to create a rule that will detect which domain has requested access, read that subtree’s values from the app_metadata, then only send back the roles relevant to that domain in the app_metadata.
Here’s what the rule would effectively do. If this is the object stored by Auth0:
{
"username": "Michelle Smith",
"app_metadata": {
"portal.domaina.com": "Administrator", "Scheduler"],
"my.domainb.com": "Customer"]
}
}
When accessed from portal.domaina.com this will be returned:
{
"username": "Michelle Smith",
"app_metadata": {
"roles": "Administrator", "Scheduler"]
}
}
When accessed from my.domainb.com it will look like this:
{
"username": "Michelle Smith",
"app_metadata": {
"roles": "Customer"]
}
}
I have read on this forum that the limit on the size of the user object is 16 MB. That lets you store a massive number of roles per user before you need to consider other strategies.
Managing which roles a user has on a given domain will require calling the Auth0 management api, and because of the section quoted above I know we can just send an update to a single domain without impacting the others that might be in that user’s profile.
I am hoping that someone else with more experience in this can weigh in here and let us know what the best practices are for accomplishing this.