Login/Register
Asp.net Core 2 enable multi tenancy using Identity Server 4
Asked Answered
Solved c#asp.net-coreidentityserver4multi-tenant
R

1

9

I have an IDP (Identity Server 4) hosted with multiple bindings: auth.company1.com and auth.company2.com I also have an API protected from that IDP. So in order to access the API I need to get the access token from the IDP. This is configured at startup class at the API level like this: 

     services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "https://auth.company1.com/";
                options.RequireHttpsMetadata = true;
                options.ApiName = "atb_api";
            });

How can I configure options.Authority dynamically so it allows authority from multiple domains https://auth.company1.com/ and https://auth.company2.com/ ?

Riccardo answered 8/7, 2018 at 11:50 Comment(0)
R
7

I solved this.

At the protecting API level at the startup class I have this configuration:

services.AddAuthentication("Bearer")
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = "https://shared-domain-for-every-tenant/";
            options.RequireHttpsMetadata = true;
            options.ApiName = "atb_api";
        });

The magic happens at the IDP level (IdentityServer4), while configuring the IdentityServer I add the option IssuerUri like this:

services.AddIdentityServer(options => {
            options.IssuerUri = "https://shared-domain-for-every-tenant/";
        })..AddDeveloperSigningCredential() ...other configurations ...

When I navigate to https://auth.company1.com/.well-known/openid-configuration the returned document is like this:

  {
    "issuer": "https://shared-domain-for-every-tenant/",
    "jwks_uri": "https://auth.company1.com/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://auth.company1.com/connect/authorize",
    "token_endpoint": "https://auth.company1.com/connect/token",
    "userinfo_endpoint": "https://auth.company1.com/connect/userinfo",
    ...
  }

Notice the issure is a static url while all the other endpoints are specific to the tenant that made the request. This allows the API to validate the access token and also have different endpoints for each tenant (I need this to show a different login screen for each of them).

Hope it helps someone out there :)

Riccardo answered 19/7, 2018 at 11:30 Comment(1)
When using the AddJwtBearer() extension, you can specify a custom Issuer validator method and do the validation there. Look for config.TokenValidationParameters.IssuerValidator The package that provides AddIdentityServerAuthentication seems to be no longer maintained according to the project docs.Highfalutin

© 2022 - 2024 — McMap. All rights reserved.