Oauth Multi tenancy: Should access token be generated per user or tenant?

Question

We have a platform that is running on a Multi-Tenant scheme. So we have Tenant as parent and Users as children in the scenario. We are developing a Rest API on that platform (we have SOAP services now) with Oauth authentication scheme.

I am curious to know how we are going to generate the Access Token on each app that third parties will develop. Is it per User or per Tenant? With that I mean, if User2 grants access on App-A on Tenant1, then does this mean if User1 wishes to use App-A then he will not be prompted by the permission to grant access dialog? Both Users are residing on the same tenant.

Answer 1

It depends on your specific use case but I would tie it to the credentials being entered. Hence if User 1 and User 2 have a different distinct account with their own login/password (or whatever) is in use, then they should have their own access token. The reason is that the instance of the app each user is using needs to end up with an access token - so in your example User2 would have to go through the oAuth dance anyway.

The other, more general reason is that it safeguards you for the future when maybe you end up giving different users different rights.

Hope that helps.