I would like to learn more about proper way of organizing resources.
We develop a PaaS product, where each our customer owns non-shared set of resources (cluster with an API and an SPA web app).
Our design is to create a single Auth0 tenant and for each customer define:
- Connection (Azure LDAP, SAML, etc.)
- SPA Application
This way, each customer manages their own users in their IdP, we just allow them to log into the infrastructure via Auth0.
Now we are facing a problem - it seems that the SPA can send whatever “Audience” it wants and Auth0 will grant an access token.
So customer1 could potentially ask a token “audience” for “api.customer2.paas.com”.
I have read the previous messages and it seems that the “Public-facing applications” cannot have any restrictions of this kind, because they are public.
What would be the best way to tie together a connection, application, and an API?
Should every customer have it’s own Auth0 tenant? Or should we write Auth0 actions that verify that user coming from connection_1 cannot try to access api_2 ?