I built a multi-tenant SaaS application which I would like to integrate with Microsoft Flow.
I have a NodeJS backend which is registered as an API in Auth0 and an Angular SPA which is registered as an Application. User permissions are saved in user’s app_metadata property which is populated to the access token via a rule to then do application layer authorization in the NodeJS backend. This works fine.
Now I would like to enable users to integrate with Microsoft Flow:
I tried this with different application types (Regular Web Application, Machine to Machine Application) and was able to authenticate. The problem is that I do not get the user’s app_metadata with the access token which I need for authorization.
I would like to know
- Why does the rule not apply?
- Which application type should I use for a scenario like this?
- Should I create one application for each tenant (not talking about Auth0 tenants!)
- How can I provide user/tenant information to the NodeJS backend for authorization (ideally user’s
app_metadata)?