Multi tenants support

[carte7000]

Add the concept of tenants which is basically a way to scope role and permissions for accounts

The main benefit of this will be to create multiple teams/organisation for a saas product for instance. While we don't want to force users to have a different account for each team they join, we also don't want to bloat JWT with roles from each different team a user belongs to. From the user perspective, it will allow them to login to multiple teams with the same login.

For this feature we want the auth API to issue JWT on a per-tenant basis. One way we could do this is by returning a JWT for each tenant a user belongs to or support tenant-based login.

This also introduces the need for superuser which can manage tenants and users that does not belong to any other tenants. This could be implemented as a root tenant, for example.

NB: Users remain a global concept, but their permissions will now be scoped by tenants and a user can belong to multiple tenants

The main things to implement are

• [ ] Return a JWT per tenant for the /login endpoint
• [ ] Add a /tenants endpoint to manage tenants with basic CRUD operation
• [ ] Add a way to invite users to join a tenant
• [ ] Add a way for user to know which tenants he/she belongs to

[jevonearth]

We will need a new property called tenant to tell the auth daemon which tenant we want to log into.

If the login request does not provide the tenant property, then we can log the user into a "default" tenant.

Possible approaches for determining what tenant to log the user into when no tenant property is provided;

• Choose the tenant that the user has been a member of the longest. Assumes we have a way to determine "joined date"
• Choose the tenant that has the most recent "last_logged_in" timestamp
• Have a flag called "default_tenant" on the table associating users with tenants.