Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Asp.net Core 2 enable multi tenancy using Identity Server 4

I have an IDP (Identity Server 4) hosted with multiple bindings: auth.company1.com and auth.company2.com I also have an API protected from that IDP. So in order to access the API I need to get the access token from the IDP. This is configured at startup class at the API level like this:

     services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "https://auth.company1.com/";
                options.RequireHttpsMetadata = true;
                options.ApiName = "atb_api";
            });

How can I configure options.Authority dynamically so it allows authority from multiple domains https://auth.company1.com/ and https://auth.company2.com/ ?

like image 676
Gzim Helshani Avatar asked Jul 08 '18 11:07

Gzim Helshani


1 Answers

I solved this.

At the protecting API level at the startup class I have this configuration:

services.AddAuthentication("Bearer")
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = "https://shared-domain-for-every-tenant/";
            options.RequireHttpsMetadata = true;
            options.ApiName = "atb_api";
        });

The magic happens at the IDP level (IdentityServer4), while configuring the IdentityServer I add the option IssuerUri like this:

services.AddIdentityServer(options => {
            options.IssuerUri = "https://shared-domain-for-every-tenant/";
        })..AddDeveloperSigningCredential() ...other configurations ...

When I navigate to https://auth.company1.com/.well-known/openid-configuration the returned document is like this:

  {
    "issuer": "https://shared-domain-for-every-tenant/",
    "jwks_uri": "https://auth.company1.com/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://auth.company1.com/connect/authorize",
    "token_endpoint": "https://auth.company1.com/connect/token",
    "userinfo_endpoint": "https://auth.company1.com/connect/userinfo",
    ...
  }

Notice the issure is a static url while all the other endpoints are specific to the tenant that made the request. This allows the API to validate the access token and also have different endpoints for each tenant (I need this to show a different login screen for each of them).

Hope it helps someone out there :)

like image 180
Gzim Helshani Avatar answered Sep 28 '22 04:09

Gzim Helshani