Handling user roles across multiple organisations

I have an application that has multiple organizations (not Auth0 organizations) each Auth0 user can be in multiple organizations and needs to have differing roles per organization.

Right now I can assign a role to users giving them write access. However they may only have write access in organization 1 and read-only access in organization 2.

How could I split these roles/permissions based on the organization the user is in? The app_metadata for each user houses an array of organizations that the user is in keyed by the org id.

I am currently using the basic JWT authorizer for the HTTP API gateway.

As we store the organization id and the rules the user has in the app_metadata object could we pass the organisationId in when requesting an access token and have a rule populate the access token with the correct role based on the organization id?

1 Like