A easy way to secure customer access for multi-tenant application by using auth0 app_metadata
A lot of company have a business need to support multiple tenants. Some company choose single tenant architecture, while others might choose multiple tenant architecture. This article will explain a easy way how to authenticate your customer access under multiple tenant architecture.
Single Tenant vs Multi Tenant
Single tenant architecture means each tenant has a single instance and independent database and completely isolated with each other. While multi-tenant architecture could enable you to build scalable applications to save resource and operation cost. With multi-tenancy, only one single instance of the software is used to serve multiple tenants. All the customers of each tenant share the same software application, service provider could use seperate database for each tenant or use one database for all tenants but each tenant’s customer data remains invisible to other tenants.
Customer Authentication
With multi-tenant architecture, it is extremely important to authenticate and authorise individual users for right access. There are several ways recommended in Auth0’s documentation to achieve this. This article will focus on the way of using app_metadata and give you a clear implementation example to manage your customer access.
Step1: Create your multi-tenant application
In auth0->applications click ‘CREATE APPLICATON’
You could create native or regular web application based on your own experience and language you prefer.
Step2: Create users in auth0
In auth0->Users & Roles->Users click ‘CREATE USER’
Step3: Update user app_metadata via auth0 management api.
E.g. We could use auth0 update user api to update user1 with {"app_metadata": {"tenants": ["tenant_1"]}} and update user2 with {“app_metadata”: {“tenants”: [“tenant_2”]}}
Note: The Auth0 Management API v2 token is required to call the Auth0 Management API. Please refer to Access Tokens for the Management API to see how you could get token. Here is a example how to get token when you need update your user app_metadata via auth0 management api.
Create a machine to machine application like below:
Authorise the machine to machine application to use auth0 management api
Get the access token to access auth0 management api in ‘quick start’
Use postman to update user’s app meta_data via auth0 management api
Step4: Create a rule to add custom claims to the ID Token.
In auth0->rules click ‘CREATE RULE’
Use this as the template for your customer claim rule. But you need change namespace to your own and add app_metadata. Here is a example:
Step5: Use app_metadata in your multi-tenant application
Once you add and enable ‘Customer Claim’ rule in auth0, you will be able to access user’s app_metadata in your auth0 application. You could check app_metadata in user profile and redirect to the right tenant that the user could access once user login. Thus you could control your customer to access different tenants.
Here is some code code snippet which could be be referred in your multiple-tenant application to get a user’s tenant info after authentication
/* GET user profile. */router.get('/user', secured(), function (req, res, next)
{```
var tenants = req.user._json[`http://your-domain/claims/tenants`]
//e.g. `http://yama-test.com/claims/tenants` will be used based on above rule```
}
This article explained how to use app_metadata to control your customer access in your multi-tenant application. It is quite easy, isn’t it? But of course it is not the only way. Different company might choose different method based on individual company’s scale, resource, developer skills and etc.
