ardalis
Multi tenant implementation & Security
Just using a unique userId between databases should serve your needs architecturally. Copy anything else you need like email etc but not auth related columns. That works for authentication.
For authorization it’s trickier. If a user belongs to tenant A and B and has tenant-specific roles in each it will be difficult to have your SSO find and capture all of these claims at login. However you can “upgrade” a token at a specific tenant with an endpoint that uses your identity token to identify the user and then returns a new token that adds the claims for that tenant. Assuming you’re ok with separate tokens per tenant this should work.
10 replies