SPA: Silent Authorization Code Flow with PKCE: Access state from application?


We are building a multitenant product that allows users to switch between tenants on the fly in the application. In order to implement a strong guarantee of security, we want to generate a new token with the appropriate claims each time the user switches tenant.

In order to do so, we need to pass information about which tenant the user is switching to to Auth0 so that we can validate the access to said tenant & put the tenant in the claim.

The only way we have found so far is to call to our servers from the SPA before initiating the Authorization Code Flow and then calling the same servers from the Auth0 rule to obtain the said info.

Is there any way to pass information from the SPA through to the Auth0 rules so that we can use it to alter the access token and add the custom claims?

Thanks a lot!