Safety of multi-tenant app and authorization

I’m creating a multi-tenant application, but I’m wondering whether my implementation is secure. The flow of my app is as follows:

  1. A user signs up using a custom sign-up form. On sign-up I create a user ID which I store on the user’s app_metadata.
  2. A user logs-in. Using Auth0 rules I read the app_metadata, receive the user ID and store the ID on the id_token. In my application I request the tokens (authorization and id token; responseType: ‘token id_token’,). Upon receiving the tokens I verify the token.
  3. After the token is verified I use the user ID in my application.

I use a similar approach to keep track of a user’s accessrights to a certain tenant:

  1. A user creates a tenant. I use the Auth0 Management API to update the user’s app_metadata and specify the tenant and the users accessrights to this tenant (if a user creates the tenant he receives all the read:, write:, update:* and delete:* permissions for that tenant). At this stage my app_metadata looks something like this:
    {
    “userID”: “someid”,
    “accessRights”: [
    {
    “tenantID”: “someTenantID”,
    “permissions”: [“read:forum”, “write:forum”, “create:forum”, “delete:forum”]
    }
    ]
    }

  2. In my application I keep track of the current active tenant.

  3. Whenever a user makes a request to the server for specific data of the tenant, I send the tenantID for which the user request data along with the request.

  4. On the server I verify the token.

  5. I check whether the tenantID on the token matches the tenant ID for which the request was made. In addition I check whether the user has the required permission to perform the action.

Is this flow safe? Can I use the ID token safely in my application to receive the user ID and the access rights and permissions to a certain tenant? How could I possible improve this flow?

1 Like

Can anyone help me with this issue?