We are using fusion auth to generate JWT tokens upon login for several of our apps. The tokens are then used for accessing several of our API's. Our API's need to determine which tenant the user belongs to. It would be great if this could be done using the JWT token. By default, the tokens generated by fusion auth contain the application id in the aud header and user id in the sub header but not the tenant id.
We do have other methods of identifying the tenant in which the user belongs to which has been working for us up until now however it has always felt like a bit of a workaround and adds overhead to the requests.
We successfully use the JWT lambda populate to add custom claims off the user and I think this would be the way to go in order to add the tenant id however it is not made available to the populate method:
For example:
// It would be great if the tenant context was passed as an argument to the populate method
function populate(jwt, user, registration, tenant) {
// Add the tenant id claim
jwt.tenantId = tenant.id;
// Add other claims....
}
A workaround would be to add the tenant id to the users custom data which we would then be able to access in the lambda however I am sure you will agree this is a bit clunky.
Is there any way this can be done currently with fusion auth? Or will it require some work, if so I can raise this as a feature request if needed?
Once again thank you for your great work and continued support
The tenantId is on the User object that is passed into the lambda. You can move it to the JWT like this:
function populate(jwt, user, registration) {
jwt.tenantId = user.tenantId;
}
It looks like this is missing from the API docs. I've updated that and it should be available shortly.
EDIT: This field is now documented on the User object in the API docs here: https://fusionauth.io/docs/v1/tech/apis/users
Also, if you want to be super JWT-y, you can shorten the claim to tid or something. ;)