We’re developing an application for managing assets of organizations. An organization (which will use our service) can create an organization in our application and start adding/managing assets. A user in our application can be a member of multiple organizations with roles and permissions that are different for each organizations he’s a member in based on his involvement/relationship with each organization (organization is a context for the roles and permissions). Our application provides APIs (RESTful APIs) for different type of clients, so Auth0 will secure our APIs and our clients assets (resources).
Based on Auth0 documentation, the token should have only coarse-grained roles and permissions to avoid have large payload.
What is the best way, to implement this? should we use Auth0 for authentication only and handle authorization in out application?
I know adding all the roles and permissions, of each organization the user is member in, to the token is not right and practical.