Hi @mathiasconradt, thanks for the rapid response ! Although it is still unclear to me how to go about to implement the scenario.
I wouldn’t be able to implement something similar to Option C (from the original post) since in my case, due to the fact that the roles depend on the organisation selected, it will have to be always a multiple step process: meaning I think I am forced to use what you referenced as Redirect Rules unless going for a different option like Option A for example.
Then:
If going with Option D (1 SPA app, no subdomains):
- user logs in, we validate credentials, check the his/her
app_metadatato see which orgs he/she belongs to and we redirect to custom UI for him/her to select an organisation. do we pass the organisations as a custom claim in the Id Token or what gets passed to this custom UI ? - user selects the organisation; authorisation flow continues (
/continue): the selected org value is feed then to the rules engine, how is it passed? also, are we still only talking about ID Token here? - user is logged in within the SPA and the SPA has received an ID Token (maybe with a claim about the chosen organisation)
- how do the, later on initiated by the SPA, access token requests behave within this scenario? This is the part I am confused as I can’t imagine how a Rule would have access to the organisation selected before since they are not part of the
/continueflow. Since roles are by organisation we need this information in order to produce the access token.
If going with Option A (1 SPA app per organisations, subdomains to manage client id):
is the following more or less correct?
- user logs in through via a particular subdomain providing the
/authoriseendpoint with the proper client id. Organisation is then pre-selected and we have access to it during Rules. - SPA receives within the ID Token the API audiences this SPA should request access token for.
- SPA can requests access tokens for the APIs: a Rule has access to the client_id and retrieve the roles associated with the respective organisation from the user
app_metadata. (?) Do we need to translate them manually into permissions and create the appropriate scope ? - SPA receives access tokens and calls APIs.
In order to implement option A it is mandatory, and entirely on our side, to manage subdomains (customerX.app.com) to track each client id correct ? or is there other alternative I am missing ?
Thanks again,
Gerardo.