https://www.ory.sh/ logo
Join Slack
Powered by
Heya all, quick question, I have a User in Ory, bu...
# ory-network
c
Heya all, quick question, I have a User in Ory, but I need to know to which Organisation it belongs, to that in my Backend I know which data to fetch for that user, is this something that should be stored in Ory (as metadata?) or outside of it?
m
Hi Miguel, assuming this is for a multi-tenant application? We have similar questions and are going down the "outside Ory" route. In our scenario, users can be members of multiple tenants, so in our DB we store the relationship in a 
members
table that has 
ory_id
and 
org_id
columns.
c
That's what I'm thinking as well, for now I added the ID of the org they belong to, to the ory metadata field, so that I can access it in my frontend and backend. Is that how you guys are doing it as well?
m
We're not storing anything system/environment specific in Ory, that way we can use the same identities across different environments or apps e.g. we can give a user access to a test and prod environment without Ory caring.
c
Ah I see! How would you store information that is relevant to the session then? For example the accountId a user belongs to, or the role he has, to check if certain routes in the frontend should be accessible or not.
m
We're still learning too, and I think one area that is missing from support material and the web in general as far as my searching has gone (FYI @magnificent-energy-493) is handling the shift in concept from authorisation and app data co-existing in the same system to using an external identity provider.
Our approach has been for the session to only confirm the user is who they say they are, any other information (name, authorisation etc) is taken from our system e.g. if it's a SPA app, one of the first calls on load could be to an API that returns sections that the authenticated user has access to.
c
Right, I see, so every request that is made to the server will check the session on the server to see, for example if a certain page can be visited on the frontend?
m
Yes, that's my understanding
Sorry, I may not have understood your reply... If the front end is a SPA, when it loads, it could call the API (once) to retrieve a list of user roles, or sections that they have access to. Every request to the API would validate that the session is still active
c
Right, that makes sense! Thanks, this is helpful.
6 Views
Open in Slack
PreviousNext
Powered by