I believe I have Option C working. But I have a follow up question regarding permissions. Please see this image to help me describe:
My question is basically, once I have the tenant(s) as permissions in the JWT, how do I know in the express API that the user is authorized to perform CRUD operations on one of those tenants?
Right, I have RBAC enabled, and that seems to be working fine. But in the API, how do I check that the organization ID in the request is in the users permissions?
I’m looking for something like this:
const orgID = req.query.org_id; //gets organization ID in the request
if(jwtAuthz([orgID]) === false){ // uses jwtAuthz to make sure the org ID is in their permission list
return 401; // if it's not, return unauthorized.
}