I’m creating a multi-tenant application, but I’m wondering whether my implementation is secure. The flow of my app is as follows:
- A user signs up using a custom sign-up form. On sign-up I create a user ID which I store on the user’s app_metadata.
- A user logs-in. Using Auth0 rules I read the app_metadata, receive the user ID and store the ID on the id_token. In my application I request the tokens (authorization and id token; responseType: ‘token id_token’,). Upon receiving the tokens I verify the token.
- After the token is verified I use the user ID in my application.
I use a similar approach to keep track of a user’s accessrights to a certain tenant:
A user creates a tenant. I use the Auth0 Management API to update the user’s app_metadata and specify the tenant and the users accessrights to this tenant (if a user creates the tenant he receives all the read:, write:, update:* and delete:* permissions for that tenant). At this stage my app_metadata looks something like this:
“permissions”: [“read:forum”, “write:forum”, “create:forum”, “delete:forum”]
In my application I keep track of the current active tenant.
Whenever a user makes a request to the server for specific data of the tenant, I send the tenantID for which the user request data along with the request.
On the server I verify the token.
I check whether the tenantID on the token matches the tenant ID for which the request was made. In addition I check whether the user has the required permission to perform the action.
Is this flow safe? Can I use the ID token safely in my application to receive the user ID and the access rights and permissions to a certain tenant? How could I possible improve this flow?