Base solution for your next web application
Open Closed

Multi-tenancy, IdentityServer4 and OpenId Connect #10104


User avatar
0
dev1_premierpoint created

Product version: ASP.NET Zero v9.1 Product type: MVC & jQuery Product framework type: .NET Core

I have IdentityServer4 (3.x version) working in my application. I was able to build and test the OpenId Connect MVC test client app you provide in Github. Followed this page in your documentation to configure both sides and got it working:

https://docs.aspnetzero.com/en/aspnet-core-mvc/latest/Infrastructure-Core-Mvc-Identity-Server4-Integration

It works fine in Dev with multi-tenancy enabled in my ASP.NET Zero application because I can use the tenant picker control on the ASP.NET Zero Login page to select the tenant to login to when using OpenId Connect.

However, I don't see how it can work in a production ASP.NET Zero multi-tenant enviroment when each tenant will have their own subdomain using the ASP.NET Zero approach to multi-tenancy.

In the OpenId Connect MVC test client it is necessary to specify the OpenId Connect Authority Url. In Dev, I just specify the localhost Url that the ASP.NET Zero application is running on (for instance, https://localhost:44302).

In production, per the way ASP.NET Zero handles multi-tenancy, a user for a tenant named "T1" would need to authenticate at T1.publicdomainname.com. A user for a tenant named "T2" would need to authenticate at T2.publicdomainname.com. And so on.

It seems like the only way this would work on the OpenId Connect client side is if the client is able to support building the OpenId Connect Authority Url dynamically based on target ASP.NET Zero application's tenant Url.

Is this the way IdentityServer4 and OpenIdConnect and ASP.NET Zero Multi-Tenancy are intended to work together?

If so, if my ASP.NET Zero app is trying to be the Identity Provider for other client apps that integrate with it for single sign-on purposes, those other apps have to have the ability to dynamically generate the OpenID Connect Authority Url based on the tenant user is a membe of. That seems like an unlikely feature for a 3rd-party OpenId Connect client app to support unless I am missing something?

Thanks.


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @dev1_premierpoint

    As far as I know, you can't use such subdomains for auth server URL. For such authentication, I think it is better to use the host URL and send the Tenant Id in the Abp.TenantId request header.