I am building an SPA with a backend API that will be used by multiple companies, with each company having several users.
The problem I am facing is that if I have 2 users, one from company X and one from company Y, how can my backend know which company that user belongs to so that it can return the correct data to the user?
Do I add permissions to the users e.g. company:companyX & company:companyY so that my backend can distinguish between the users?
Or is there another (better) method for doing this?
I have successfully managed to write the rule I am able to get the company that the user belongs to in the id token after setting it in the app_metadata.
My next question is how can my backend get this information as well?
The app_metadata is only set in the id token which doesn’t get sent to the api so it still has no knowledge of which company the user belongs to.
I’ve read about the /userinfo api endpoint for getting user information so should my backend make a call to the endpoint and get the app_metadata that way? And should it use the access token that the client sent to it to access this api?