I'm building a multi tenant web app where I will have 1 app and 1 database for all my tenants.
I have been reading about the different techniques to pass the tenant ID from server to client and viceversa for my REST requests/responses and it seems that the one that could fit better for me is passing the tennat id in the JWT Token because I won't have differnt domains for my tenants and passing it in a X-TENANT-ID seems insecure because anyone could change it(Any information on this will be greatly appreciated).
So, is it a good practice to pass the tenant id in the JWT Token? Beside the other alternative (Passing the tenant id in a X-TENANT-ID header) are there any better ways to do it?
I'm putting it into the JWT token as a claim.
You can also pass it on the URL. If you look at Azure DevOps REST API it has /{organisation}/ in there. You then validate the claim against the URL.
I'm leaning towards doing both. Having it in the URL may help with logging, and also anonymous access if granted.
I'm using Auth0 to generate the tokens and honestly there options for supporting multitenant apps are terrible, and will not scale. To support a user accessing multiple tenants with different permissions is a challenge. If I stick with Auth0 my plan is to generate unique roles per client and assign the user to them, then in the JWT token include the permissions and tenantid. I'll issue a JWT per tenant.