Multi-Tenant Authorization

I’m following up to a previous post http://community.auth0.com/t/help-with-multi-tenant-spa-rest-application/38893

I believe I have Option C working. But I have a follow up question regarding permissions. Please see this image to help me describe:

Imgur

My question is basically, once I have the tenant(s) as permissions in the JWT, how do I know in the express API that the user is authorized to perform CRUD operations on one of those tenants?

Hi @jhouse153,

The sub claim in the access token contains the user id.

You could use RBAC to assign the user roles based on organization and permissions (like a user and an admin role). Would that work in your scenario?

Right, I have RBAC enabled, and that seems to be working fine. But in the API, how do I check that the organization ID in the request is in the users permissions?

I’m looking for something like this:

    const orgID = req.query.org_id;  //gets organization ID in the request
    if(jwtAuthz([orgID]) === false){ // uses jwtAuthz to make sure the org ID is in their permission list
        return 401;  // if it's not, return unauthorized. 
    }

@mathiasconradt might be able to help here.

Great. Thanks for the help!

Thank you for posting something like this mcdvoice

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.