We have a single B2B NextJS application utilizing Organizations. Each Organization has its own API, so the Audience is not known before sign-in. The API identifier that belongs to the Organization is stored as metadata on the Organization.
How can I have the user obtain an access token to only their Organization’s API?
Unfortunately, without knowing the audience prior to auth the user will need to re-auth one way or another to obtain an access token containing the correct audience.
Can you help me better understand the need for each Org to have a separate API? The more details you can provide about your use case in general the better!
Could I build an API hierarchy, where our client app provides the Audience value of the identifier of the top-level app API, and then in a post-login action that top-level API connects to the appropriate Organization API based on the signed in user’s metadata?
Single Logical API
Let’s say the identifier of our top-level API is: alpha-app-api.
Organizations and Users
And let’s say we have two Organizations and two users:
Able Corp.
1.1. Jane Doe
Bee Co.
2.1. Bob Smith
Per-Organization APIs
Able Corp. will have its own API: https://alpha-api.able-corp.com.
And Bee Co. has its own API: https://alpha-api.bee-co.com.
Organization Metadata
We’ll save the identifier for the Able Corp. API in the Able Corp. Organization metadata:
{
"apiUrl": "https://alpha-api.able-corp.com"
}
And save the identifier for the Bee Co. API in the Bee Co. Organization metadata:
{
"apiUrl": "https://alpha-api.bee-co.com"
}
And the client app can be called Alpha Client App.
AuthN Flow
When Jane signs in to Alpha Client App, it can provide the Audience value of alpha-app-api. Then, in a post-login Action, we obtain the per-organization API URL from the metadata of the Organization to which Jane belongs:
{
"apiUrl": "https://alpha-api.able-corp.com"
}
At this point, can we silently obtain an Access Token to the Able Corp. API (M2M) using the above apiUrl as the audience?
If so, can we then pass that AT back to Jane on the client as a custom claim, allowing her to access the Able Corp. API from the Alpha App client?
I am thinking the logical API might be your best bet.
Doing silent auth and changing the audience (I assume scopes/permissions as well?) is going to be cumbersome as it will require additional user consent.
Have you considered relying on the user’s org_id, role, custom claim etc. in access tokens to make access control decisions? That is, instead of attempting to rely on the audience, all tokens will have the same audience of the top level API, and you rely on one of the aforementioned attributes to differentiate users and their access.