0

I have a multi-tenant scenario in which one email can be associated with multiple tenants.

I've thus configured a custom AccountChooserResponseGenerator that inherits from the built-in AuthorizeInteractionResponseGenerator class.

After the user authenticates, the UI correctly diverts the user to an Account Chooser view, which lists the tenants the email address is associated with. The idea being that the user must now select the Tenant he/she wants to log in to, and then get redirected to that Tenant's URI.

My problem though is that I can't figure out how, after selecting a Tenant, I can add that Tenant Id as a Claim to the token that gets passed to the app from IdentityServer (multiple tenants could share the same URL so I need something in the token to know which Tenant has context).

So in the AccountChooserController.TenantSelected(long tenantId) method, I'm expecting to be able to add this tenantId to the User Claims, but it does not seem like this is supported.

Please advise if this is possible, and how?

Shawn de Wet
  • 5,642
  • 6
  • 57
  • 88

1 Answers1

0

Put the tenant information into the cookie when calling SignInAsync - you can then retrieve it from your profile service.

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Thanks, but my problem is that the user first logs in with their email and password, and only then can the user be presented with a list of tenants that their email is linked to. So by the time the tenant list is displayed, the SignInAsync has already happened. – Shawn de Wet Aug 03 '18 at 07:18
  • Ah wait...I think I got an idea from your answer....perhaps after providing their credentials, my IdentityServer should not yet call `SignInAsync`, but use those credentials to provide the list of tenants...then after the user selects a tenant, only then call `SignInAsync` (or perhaps call it again)...I will do some figuring out. Thanks. – Shawn de Wet Aug 03 '18 at 07:21
  • Nope, can't get that to work. I need to call `SignInAsync`, and only THEN provide the user with his/her list of associated Tenants to log in to. This is because, without being signed in to a Tenant, there will be functionality that gets enabled in the IdentityServer app (profile management, etc) that is possible WITHOUT having selected a Tenant yet. Please advise how Tenant info can be added AFTER the user has signed in? – Shawn de Wet Aug 06 '18 at 12:15
  • @ShawndeWet I think you can use temporary cookie authentication when the user first logs in. To protect profile management you use this temp authentication scheme and when user selects a tenant, you can call SignInAsync for IdentityServer Default Authentication Scheme. – adem caglin Aug 06 '18 at 14:13
  • @ademcaglin I assume this means when the user first logs in I don't call `_signInManager.SignInAsync`? But what do I call instead in order to authenticate the provided credentials? – Shawn de Wet Aug 06 '18 at 16:07
  • Perhaps `_signInManager.CheckPasswordSignInAsync`? But from what I can find online it looks like this does a sign in as well? – Shawn de Wet Aug 06 '18 at 16:14
  • 1
    Ah yes indeed, found it here: https://github.com/aspnet/Identity/issues/852 `CheckPasswordSignIn` does just that - checks that credentials are valid, but does not do the full sign-in. – Shawn de Wet Aug 06 '18 at 16:19