How do companies handle authentication in their multi-tenant web apps?
Essentially I have a single PostgreSQL database instance with many tables. Each table has a workspace_id column which I will use to use to grant/deny access. You can think of a workspace as a client and a single user can be associated with multiple workspaces.
My initial thought was to:
- Use the frontend app and let the user send the email and password to
the backend. - Backend validates details and returns all the workspaces the user belongs to.
- The frontend app displays the workspaces.
- User selects the workspace they want to login into. The id of the workspace and the user details that were passed in step 1 is again to the backend.
- The backend validates again all the details and issues a
jwttoken containing the user details and the workspace id. - Later when the user tries to access any resource I will extract the workspace id from the token to check if the user has access to a resource or not.
I am halfway through implementing what I’ve described above but I am not sure if that’s the best approach. What do you think?