Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Identity + Bearer Token + Multi-Tenant

I've created a multi-tenant application using Entity Framework, WebAPI, ASP.NET Identity. Basically it reads the subdomain of the tenant and using it to read the connection string from the database and sets it on runtime.

Everything is great, database is creating etc, but the only issue now is the ASP.NET Identity Bearer Token.

When I've generated a bearer access token for http://tenant1.#####.com/token, it seems that the token is signed on the same application (no machine key was specified) and it's allowing access to http://tenant2.#####.com controllers as well, which shouldn't be the case as it's different subdomains / tenants.

Are there any ways around this? Or perhaps I should be looking into other Security Framework and not ASP.NET Identity?

like image 726
Tommy Ong Avatar asked Oct 20 '22 01:10

Tommy Ong


1 Answers

MVC5 makes it easy to add a tenant name claim to the user identity. In the Models directory, edit the ApplicationUser class in IdentityModels.cs:

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
{
    // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
    var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

    // Add claim for tenant name
    userIdentity.AddClaim(new Claim("tenantName", "abcCompany");

    // Add custom user claims here
    return userIdentity;
}

Then when an authenticated request is processed, validate that the User contains correct claim and value.

like image 165
Bill Heitstuman Avatar answered Oct 22 '22 16:10

Bill Heitstuman