We are working on a multi-tenant application where a user, who’s identity is managed by Auth0, could be granted access to multiple tenants. Each tenant could assign different roles to that user. Right now we store the role information for a single tenant in the app_metadata in Auth0, but that won’t work when a user is assigned to multiple tenants. Plus, any time the roles change we have to synchronize multiple users at once which is an expensive operation.
Instead, I would like to source some or all of the user’s profile from an external system (database or web service) via rule. However, when the user authenticates, I’m struggling with how to tell the auth0 rule which tenant they were coming from as the code-token exchange doesn’t give me much flexibility in specifying the tenant.
I was wondering if anyone has encountered that before and what options I have for solving it. I have considered a number of options.
- Continue to synchronize the app_metadata from our system to Auth0, but segment by tenant. I would like to avoid this if at all possible as roles can be re-assigned in bulk and the synchronization process, even with the bulk import is time consuming.
- Cheat a bit and add a Tenant-ID header to the token exchange request. I should be able to access that from the context object in the rule.
- Add something to the issuer or login-hint, but I don’t know if I would have access to that in the rule.
Are there other options to consider?