Thanks, the authorization extension looks very interesting. However, it doesn’t seem to address the multi-tenant requirement. It would just shift the burden on our code from querying the data store to pull in the user’s roles for the given domain to querying the data store to retrieve the Auth0 application settings. I’ve read the docs a few times and can’t see a way to inject a filter into the defined roles based on the incoming hostname.
As for tricking the client, we’re also going to be enforcing these roles on the server which should make it practically impossible to spoof sites.