Multi tenant implementation & Security
sorry this is more of architecture question rather than C#, but I want to implement the following:
A multi tenant app with 2 web apps (Dashboard and Core)
The dashboard app lets you create an account, pay for a specific plan then create your own company with Company Name & Description.
so you will have User, Company & UserCompany records added before you can access the other app.
after you add your Company, a new CoreDatabase instance is created just for you, where then you can add branches, work items...etc.
Now users who wish to be part of those "Companies" shall create an account on my Dashboard app, because I want the Users to be centralized and also allow some sort of mechanism that allows users to move between companies and also exist in multiple companies.
But how do I reference the Users table that exists in the DashboardDatabase within each CoreDatabase?
Do I just add a Users table in my CoreDatabase too and whenever someone applies for a company and gets accepted, I add [id, displayName, email & PortalUserId] (I will cache everything that's not id here to avoid lookup to the dashboard database from within separate apps) without any authentication there? is this valid? because I feel like there's duplicated data here, or is it not considered duplicated since it's a different context.
If this is ok, how to handle security with JWT?
if user A is part of both company X & company Y
and the Roles & UserRoles table for each exist within each CoreDatabase that references the CoreUser shallow copy and not the DashboardUser
how am I supposed to generate Claims here?
or do I only generate a basic token that allows the user to see basic stuff like his Dashboard account details, list of companies he's part of
and once he clicks GoToCompany
I regenerate a new token with the old one adding the company specific claims?
this is the only idea I have but I'm afraid I can't see some security breach here
Thanks for reading.
A multi tenant app with 2 web apps (Dashboard and Core)
The dashboard app lets you create an account, pay for a specific plan then create your own company with Company Name & Description.
so you will have User, Company & UserCompany records added before you can access the other app.
after you add your Company, a new CoreDatabase instance is created just for you, where then you can add branches, work items...etc.
Now users who wish to be part of those "Companies" shall create an account on my Dashboard app, because I want the Users to be centralized and also allow some sort of mechanism that allows users to move between companies and also exist in multiple companies.
But how do I reference the Users table that exists in the DashboardDatabase within each CoreDatabase?
Do I just add a Users table in my CoreDatabase too and whenever someone applies for a company and gets accepted, I add [id, displayName, email & PortalUserId] (I will cache everything that's not id here to avoid lookup to the dashboard database from within separate apps) without any authentication there? is this valid? because I feel like there's duplicated data here, or is it not considered duplicated since it's a different context.
If this is ok, how to handle security with JWT?
if user A is part of both company X & company Y
and the Roles & UserRoles table for each exist within each CoreDatabase that references the CoreUser shallow copy and not the DashboardUser
how am I supposed to generate Claims here?
or do I only generate a basic token that allows the user to see basic stuff like his Dashboard account details, list of companies he's part of
and once he clicks GoToCompany
I regenerate a new token with the old one adding the company specific claims?
this is the only idea I have but I'm afraid I can't see some security breach here
Thanks for reading.
