I have implemented an OpenID Connect (OIDC) Single Sign-On (SSO) system for my platform. Users only need to configure their client ID, client secret, authorization URL, and token URL to enable authentication. Once a user logs in via the SSO provider, they are redirected to our backend, which creates a session and authenticates them.
My platform is a multi-tenant system, and within each tenant, a user can have one of the following roles:
- Admin
- User
- Org-Reader
I need to ensure that the role assigned by the SSO provider is correctly mapped within our platform. The challenges I am facing are:
- How do I retrieve and map roles from the OIDC authentication response?
- Is there a standard OIDC claim (e.g., roles claim) that should be used for this?
What I've Tried:
Looking into the ID token and access token but haven't found a clear way to structure tenant-specific roles. Checking the OpenID Connect specification, but I need guidance on best practices for multi-tenancy role assignment.