Open carte7000 opened 5 years ago
We will need a new property called tenant
to tell the auth
daemon which tenant we want to log into.
If the login request does not provide the tenant
property, then we can log the user into a "default" tenant.
Possible approaches for determining what tenant to log the user into when no tenant
property is provided;
Add the concept of tenants which is basically a way to scope role and permissions for accounts
The main benefit of this will be to create multiple teams/organisation for a saas product for instance. While we don't want to force users to have a different account for each team they join, we also don't want to bloat JWT with roles from each different team a user belongs to. From the user perspective, it will allow them to login to multiple teams with the same login.
For this feature we want the auth API to issue JWT on a per-tenant basis. One way we could do this is by returning a JWT for each tenant a user belongs to or support tenant-based login.
This also introduces the need for superuser which can manage tenants and users that does not belong to any other tenants. This could be implemented as a root tenant, for example.
NB: Users remain a global concept, but their permissions will now be scoped by tenants and a user can belong to multiple tenants
The main things to implement are
/login
endpoint/tenants
endpoint to manage tenants with basic CRUD operation