We're running a multi tenancy application with unified users (i.e. a single subject can access multiple tenants). In the consent flow, we ask the user to choose which tenant they want to grant access to, which is then stored as the audience. Now, what would be the preferred way to list all the Hydra clients that have been granted access to a certain tenant? The only way I can think of is calling the

/oauth2/auth/sessions/consent

endpoint once for each user having access to the tenant to create a list of clients. Is there any other trick (and do you think our approach setting the audience is correct, or could we make life easier for ourselves somehow?)

That's an interesting thought. In our use case we have a multi tenancy application, too. But we set the tenant Id as a separate claim and not as part of the audience claim. Is there any drawback in encoding the tenant identifier in the audience? Validating the audience will become more complex. Especially in a microservices architecture with multiple services. Not sure if there is another drawback? Is there a drawback in using a custom claim? Currently, it is not possible to add custom claims to an access token using the client credentials flow with hydra. Not sure if there is any other drawback. For now we didn't see any (for our use case).

@late-france-48187 thanks for your input. I actually decided to move it to a custom claim. How did you solve the part about listing which "apps" (clients) are "installed" (consent sessions I guess) on each tenant? Do you keep a cached list somewhere or do you just call the

/oauth2/auth/sessions/consent

endpoint for every user which has access to a specific tenant?