I am building a multi-tenant application where we have a concept of an organization that has users. Our application is modeled such that a user can belong to many organizations, but the user can only be logged into one of them at a time. I am attempting to come up with a solution in Auth0 for putting the ID of the organization the user is currently using within the JWT access token.
In terms of when the user is logging into the app, our idea here is to have one Auth0 Application per organization where the Application has metadata about which organization it represents.
The problem comes as I am trying to allow our services to communicate with each other and also have the access tokens scoped down to a single organization. Originally, I had thought I would put metadata in these Auth0 Applications which indicate they have permission to access any organization and then use a scope when getting a token to indicate organization I want right now. For example, I would request a token with scope org:xyz
and have an Auth0 Hook which could cross-check this scope with the metadata to know whether to allow it.
The problem is that there’s no way to specify a scope in the /oauth/token
route for the client_credentials
token. I cannot find any other way to indicate to the hook which org I am trying to access.
So my questions are twofold:
- Is there some way to provide this contextual information to Auth0 so that in my hook I know which organization ID to put in the token?
- If not, any other architectural suggestions for dealing with the setup described above?