I have a Multi-Tenant Azure WebApp that is protected with [Authorize] and AAD.
I have a Multi-Tenant Azure WebApi that is access by the WebApp that also uses [Authorize] and AAD and User Claim Scope validations
I am looking for the proper way to protect the WebApp, so that although it is Multi-Tenant that is can validate individual users ability to use the WebApp, versus merely doing IssuerValidation, which is the default way. Using this however merely ensures that I can check that a Tenant is ok to call the App, not that an individual in the Tenant can.
I would love any suggestions, guidance etc on how to implement this based on what is available in the StartUp.Auth.cs at run time. Maybe I need to track both Tenants (Guids/issuers) plus the individuals guid/id within their directory and store that in a DB/Azure Table/Something and then when they attempt to access, check?
I guess if that is the cause, how is the proper way to get that information at run-time both from a registration perspective (I guess have a sign up flow) and then in the Startup.Auth to get the current attempting to log in persons credentials?