Hi @mathiasconradt. I found your answer in this post about possible ways to go about implementing multi tenancy for that scenario quite helpful!
However I still have doubts/questions, possibly due to my use case being slightly different. I wanted to know if you could give me a hand in modeling a possible solution and flow to accomplish it.
Let me start with a bit of context. I will try to explain as clear as possible:
We have multiple APIs mapped in Auth0 each one of them being a completely different Product (api_1, api_2, …) that customer organisations can buy separately or in combination. These APIs can be accessed directly by M2M clients or be consumable by users via an SPA that we have.
For each API there are roles with their associated permissions: USER_PRODUCT_API_1, ADMIN_PRODUCT_API_1, USER_PRODUCT_API_2 and so on.
A user could belong to multiple organisations. Also this user might have different roles in each organisation. I understand this can only me mapped through his/her app_metadata (and not through through the normal dashboard) right ?, something like:
{
"tenants": [
{
"name": "org_1",
"roles": [ "USER_PRODUCT_API_1", "USER_PRODUCT_API_2" ]
},
{
"name": "org_2",
"roles": [ "ADMIN_PRODUCT_API_1" ]
}
]
}
Then, to model we would most likely have an SPA app per organisation and 1 database connection for all users. We would map in each SPA app metadata which Products that organisation has access to. (correct me otherwise if other approach based on the above is recommended)
So how would we then do the following:
- user logs in and
- he is presented with the choice to select one of the organisations he belongs to (or not if only one)
- the SPA then requests tokens only for authorised API audiences (those associated with the organisation)
- for each audience token request the correct role should be applied:
if user selectedorg_1
then permissions associated with USER_PRODUCT_API_1 should be put in the token when requesting token for audience PRODUCT_API_1 - each access token is enriched with further information regarding the organisation chosen (e.g. which datasets this organisation can see based on a call to an external service)
- the SPA makes requests to the respective APIs with their respective token.
to correctly log in and authorise a user to interact via our SPA with all the different products and correct permissions respectively ?
Thanks in advance for your help.
Gerardo.