We are running a multi-tenant database behind an auth0-protected API on Azure (all ASP Net Core). When the user calls the API (for example using a server side app) in order to retrieve data, we need to ensure that only the data belonging to the users site/organization is returned (i.e. "… where tenant = ‘example.com’) and never the data belonging to other customers.
Our customers/tenants are companies each having multiple users. Currently we are doing skunk work and the tenants are simply identified by their domain name e.g. “example.com” which is part of the user name. All “user management” (e.g. roles) is in the metadata, we do not run any kind of user management wihin our applications so far.
Unfortunately we only get the Auth0 user-id from the access taken which is not sufficient to identify the tenant.
So far I looked into the following to resolve the issue:
-
Web Hook (client credentials exchange). The idea was to inject the user name (as claim/scope) into the access token but my impression (judging by the examples) is that the user information cannot be accessed from within the hook.
-
Getting the user info within the API. That would most likely work but (a) Auth0’s documentation advises against retrieving the user info for each request due to Auth0’s rate limit and (b) this would probably increase the latency.
Currently I only see two ways to resolve this:
-
Use a custom database which is something I would prefer to avoid. I also do not know whether Azure Sql is supported and whether a custom database is supported by the free plan (as we are still doing skunk work).
-
Implement a lookup associating Auth0’s user-id and user-name. Somehow this does not feel right and I am afraid of security loop-holes. Also this might eventually break and go out of sync when the tokens expire.
Any ideas?