I’m working on a SaaS product that will need to allow for multiple tenants. This application will have fine-grained access control (think functions vs roles) and a low chance of a user spanning multiple tenants (User A has access to Company A and B’s data – Think a 3rd party consultant, for example)
The main application is an Angular2 SPA, and the back end is a .NET WebApi2 app. I’ve followed the quickstart documentation(this and this but modified for the newer HttpClient) for setting both up, and the access token is being sent properly, and claims are being populated. I then wrote some additional owin middleware to connect to the userinfo endpoint, to populate a second identity with that information. However, I’m running into issues where the middleware is failing somewhere, and never making it to the controller.
I’m assuming there is a better way (built in way?) to either retrieve the user information automatically, or cache it once retrieved for subsequent calls? I assume sending the id_token along with the access_token is frowned upon since it’s not a scenario covered in the OpenId Connect spec?
I’ve seen mention of the custom Auth0 middleware for owin, but these always seem to be used when it’s an MVC + WebApi application (like here). Is this something that is recommended to be used with the sort of setup I have, or is there an alternative?