I know i’m simultaneously asking these questions here and Allowed Callback URLs field limitations? - #11 by steve1 however just looking to solve this so i’ll do my best to find solutions.
So, in the scenario of a single Auth0 tenant tied to a single web app. I map various subdomains and instruct to configure DNS for external domains for my customers to point to our single platform CNAME. eg, mycommunity,app,com or somethingelse,aaa,com or community,customer1,com (which points to alias,aaa,com).
Hurdles and options that seem worth considering so far:
- Allowed Callbacks
- Allowed Web Origins
- Allowed Logout Urls
When a new customer is created on my multi-tenant platform, using the Management API i could either:
- Use a single Auth0 Application (Client) and add the new domain using Auth0 Management API v2 to update callbacks, web_origins and allowed_logout_urls
- Use multiple Auth0 Application (Client), one for EVERY customer domain using Auth0 Management API v2 and then adding the relevant connections (eg, ‘facebook’) using Auth0 Management API v2 enabled_clients
My issue with 1. is the 100 domain limit on callback urls. Eventually you’ll hit it.
And my issue with 2. is similar, is there a limit on the amount of Auth0 Applications (Clients) we can create, not to mention how unwieldily that will get. Plus i can’t easily bundle the Auth0 ClientId with the app, will have to query it per tenant based on hostname.
I’m leaning towards 2. even though i have been using 1. for some time, just feeling like i’m on borrowed time and eventually the limit will be hit.
edit However after some thought … can you do Single Sign On (SSO) between Auth0 Applications (Clients)?? perhaps not.
Anyone else have a suggestion? Perhaps an insecure universal callback url? 