Multi-Organization Sessions
I’m currently using the organization and OIDC provider plugins to build a multi-tenant system, and I’d like to confirm that my design is correct.
Current setup:
- I have a core authentication server and several client web apps. Sessions are handled through the Better Auth OIDC provider.
Desired behavior:
- When a user logs into app1 for orgA, they should get a session where activeOrganizationId = orgA.
- That same session (with activeOrganizationId = orgA) should be usable across app1 and app2, as long as both are part of orgA.
- At no point should orgB’s users or sessions be able to access orgA’s apps, and vice versa.
Planned workaround:
- I’m applying a database hook (on session create) to automatically assign activeOrganizationId in the session on the core auth server.
- On the client app, I use a session.create.before hook to allow or reject session creation based on organization access.
question:
- Is my planned workaround correct or is there any best way to do it ??
- What happens if a user is using multiple apps and opens each in a different browser tab at the same time (for example, logging into app1 and app2 concurrently, potentially for different organizations)?
0 Replies