Multi-Tenant Authorization

I’m following up to a previous post https://community.auth0.com/t/help-with-multi-tenant-spa-rest-application/38893

I believe I have Option C working. But I have a follow up question regarding permissions. Please see this image to help me describe:

Imgur

My question is basically, once I have the tenant(s) as permissions in the JWT, how do I know in the express API that the user is authorized to perform CRUD operations on one of those tenants?

Hi @jhouse153,

The sub claim in the access token contains the user id.

You could use RBAC to assign the user roles based on organization and permissions (like a user and an admin role). Would that work in your scenario?

Right, I have RBAC enabled, and that seems to be working fine. But in the API, how do I check that the organization ID in the request is in the users permissions?

I’m looking for something like this:

    const orgID = req.query.org_id;  //gets organization ID in the request
    if(jwtAuthz([orgID]) === false){ // uses jwtAuthz to make sure the org ID is in their permission list
        return 401;  // if it's not, return unauthorized. 
    }

@mathiasconradt might be able to help here.

Great. Thanks for the help!

Thank you for posting something like this mcdvoice