Per-Organization APIs

Hi,

We have a single B2B NextJS application utilizing Organizations. Each Organization has its own API, so the Audience is not known before sign-in. The API identifier that belongs to the Organization is stored as metadata on the Organization.

How can I have the user obtain an access token to only their Organization’s API?

Hey there @aaronjones welcome to the community!

Unfortunately, without knowing the audience prior to auth the user will need to re-auth one way or another to obtain an access token containing the correct audience.

Can you help me better understand the need for each Org to have a separate API? The more details you can provide about your use case in general the better!

1 Like

Hi @tyf,

Each Organization has their own database. The database schema is not multitenant. Also some Organizations host their own database.

I found some posts talking about creating a logical API. Is that appropriate for this scenario? Are there any other ways to accomplish this?

@tyf

Could I build an API hierarchy, where our client app provides the Audience value of the identifier of the top-level app API, and then in a post-login action that top-level API connects to the appropriate Organization API based on the signed in user’s metadata?

Single Logical API

Let’s say the identifier of our top-level API is: alpha-app-api.

Organizations and Users

And let’s say we have two Organizations and two users:

  1. Able Corp.
    1.1. Jane Doe
  2. Bee Co.
    2.1. Bob Smith

Per-Organization APIs

Able Corp. will have its own API: https://alpha-api.able-corp.com.
And Bee Co. has its own API: https://alpha-api.bee-co.com.

Organization Metadata

We’ll save the identifier for the Able Corp. API in the Able Corp. Organization metadata:

{
  "apiUrl": "https://alpha-api.able-corp.com"
}

And save the identifier for the Bee Co. API in the Bee Co. Organization metadata:

{
  "apiUrl": "https://alpha-api.bee-co.com"
}

And the client app can be called Alpha Client App.

AuthN Flow

When Jane signs in to Alpha Client App, it can provide the Audience value of alpha-app-api. Then, in a post-login Action, we obtain the per-organization API URL from the metadata of the Organization to which Jane belongs:

{
  "apiUrl": "https://alpha-api.able-corp.com"
}

At this point, can we silently obtain an Access Token to the Able Corp. API (M2M) using the above apiUrl as the audience?

If so, can we then pass that AT back to Jane on the client as a custom claim, allowing her to access the Able Corp. API from the Alpha App client?

1 Like

Hey @aaronjones thanks for following up!

I am thinking the logical API might be your best bet.

Doing silent auth and changing the audience (I assume scopes/permissions as well?) is going to be cumbersome as it will require additional user consent.

Have you considered relying on the user’s org_id, role, custom claim etc. in access tokens to make access control decisions? That is, instead of attempting to rely on the audience, all tokens will have the same audience of the top level API, and you rely on one of the aforementioned attributes to differentiate users and their access.

Keep us posted!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.