Update JWT claims with organisation details after sign-in

We are evaluating if we could use Auth0 as our identity management platform and are wondering if we could implement the following process:

  1. User wants to sign in at app1 under app1.domain.com (we have several web and mobile apps)
  2. User signs-in over Auth0 SSO
  3. After successful sign-in, the user is prompted with a list of organizations that he/she is part of. User selects an organization.
  4. At this point, the JWT claims are updated with: org-id, user role in that org (user could have different roles in different orgs), Hasura headers etc.

The user can switch the organization at any point, at which the JWT token is updated with details from the selected organization.

I saw that similar things can be done with “Rules”, right after sign-in, but in the above process, the organization selection would happen at a later point.

Would be happy for suggestions and if that could be implemented with Auth0.

Hi @white_space

You can certainly implement this with Auth0. The key here is you cannot update a JWT, you would need to get a different JWT. Auth0 supports this with silent authentication, so no user interaction is required.

Instead of 1 JWT that gets updated, you would have 1 JWT per organization that the user requested.

Again, the user only enters credentials once, and then SSO takes over and you get access tokens without user interaction.

John

Hi @john.gateley

Appreciate your answer!

Would this mean that we first issue a JWT that gets the user to the organization selection screen?
After the organization has been selected, another JWT token is issued?

Just thinking: How would we know which token to send, as the organizations do not have their own subdomain or org-name in URL-path?

If we would go with Auth0, how could we implement that, is there a guide for such a scenario?

Many thanks