Help with b2b multi-tenant SPA & multi product APIs

Hi @mathiasconradt, thanks for the rapid response ! Although it is still unclear to me how to go about to implement the scenario.

I wouldn’t be able to implement something similar to Option C (from the original post) since in my case, due to the fact that the roles depend on the organisation selected, it will have to be always a multiple step process: meaning I think I am forced to use what you referenced as Redirect Rules unless going for a different option like Option A for example.

Then:

If going with Option D (1 SPA app, no subdomains):

  • user logs in, we validate credentials, check the his/her app_metadata to see which orgs he/she belongs to and we redirect to custom UI for him/her to select an organisation. do we pass the organisations as a custom claim in the Id Token or what gets passed to this custom UI ?
  • user selects the organisation; authorisation flow continues ( /continue ): the selected org value is feed then to the rules engine, how is it passed? also, are we still only talking about ID Token here?
  • user is logged in within the SPA and the SPA has received an ID Token (maybe with a claim about the chosen organisation)
  • how do the, later on initiated by the SPA, access token requests behave within this scenario? This is the part I am confused as I can’t imagine how a Rule would have access to the organisation selected before since they are not part of the /continue flow. Since roles are by organisation we need this information in order to produce the access token.

If going with Option A (1 SPA app per organisations, subdomains to manage client id):

is the following more or less correct?

  • user logs in through via a particular subdomain providing the /authorise endpoint with the proper client id. Organisation is then pre-selected and we have access to it during Rules.
  • SPA receives within the ID Token the API audiences this SPA should request access token for.
  • SPA can requests access tokens for the APIs: a Rule has access to the client_id and retrieve the roles associated with the respective organisation from the user app_metadata. (?) Do we need to translate them manually into permissions and create the appropriate scope ?
  • SPA receives access tokens and calls APIs.

In order to implement option A it is mandatory, and entirely on our side, to manage subdomains (customerX.app.com) to track each client id correct ? or is there other alternative I am missing ?

Thanks again,

Gerardo.