Implementing multi-tenant authentication with JWTs

03 Oct 2023

authentication

In today’s world of software as a service (SaaS) applications, it’s common to have a single application serving multiple tenants. A tenant, in this context, refers to a separate instance or customer of the application. Each tenant has its own data and user accounts that need to be securely managed.

One crucial aspect of multi-tenant applications is authentication. How can we authenticate users across different tenants while maintaining the necessary security measures? One solution is to use JSON Web Tokens (JWTs). JWTs provide a secure way to transmit information between parties as a JSON object, and they can be used to authenticate and authorize users.

What is a JWT?

A JWT is an encoded string that contains a set of claims. Claims are statements about an entity (typically, the user) and additional metadata. JWTs consist of three parts: a header, a payload, and a signature.

The header contains information about the type of the token and the algorithm used to generate the signature. The payload contains the claims, such as the user’s email or role. The signature is used to verify the integrity of the token.

Adding multi-tenancy to JWT authentication

To implement multi-tenant authentication with JWTs, we need to include the tenant identifier in the token. This allows the server to determine which tenant the user belongs to during the authentication process.

One way to accomplish this is by adding a custom claim in the payload of the JWT. Let’s call this claim “tenant_id”. When generating a JWT for a user, we include their tenant ID in this claim. When verifying the JWT, the server checks the “tenant_id” claim to ensure that the user belongs to the appropriate tenant.

Here’s an example of generating a JWT with the “tenant_id” claim using Node.js and the jsonwebtoken library:

const jwt = require('jsonwebtoken');

const user = {
  id: '123456',
  email: 'user@example.com',
  tenantId: 'abc123' // The tenant identifier
};

const token = jwt.sign(user, 'secret', { expiresIn: '1h' });
console.log(token);

In this example, we include the tenantId property in the user object before generating the token using the jwt.sign method. The “tenant_id” claim will be automatically added to the payload of the JWT.

To verify the JWT on the server side, we can use the same library:

const jwt = require('jsonwebtoken');

const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEyMzQ1NiIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSIsInRlbmFudElkIjoiYWJjMTIzIiwiaWF0IjoxNTE2MjM5MDIyfQ.K8u1ZP-xl1-yRnMYyowhD2eJrdg0ITk8n3WH82MPhWQ';

jwt.verify(token, 'secret', (err, decoded) => {
  if (err) {
    console.error('Invalid token');
  } else {
    console.log(decoded);
    // Perform authentication logic based on the tenant ID
  }
});

In this example, we use the jwt.verify method to verify the token, passing the secret key used to sign the token as a parameter. If the verification is successful, the decoded JWT is available in the decoded variable, and we can access the “tenant_id” claim to determine the user’s tenant.

Conclusion

Implementing multi-tenant authentication is crucial for SaaS applications. Using JWTs with custom claims is an effective way to add multi-tenancy support to your authentication process. By including the tenant identifier in the JWT, you can securely authenticate users across different tenants while maintaining the necessary security measures.

#jwt #authentication