0

I have 2 software with different business logic,different database, both are multi tenant, every user has the TenantId property to identify the data of their organization

dbo.Xpto.Where(x => x.TenantId == userLogged.TenantId);

I am wanting to unify the login and implement identityserver, I have the doubt, how will I capture the user tenantId if it has different tenantId in each software?

I thought of adding claims, for example new Claim ("SoftwareOne:TenantId", 123) and new Claim ("SoftwareTwo:TenantId", "8f8b8d87-fc07-4508-a33a-2b5f55820836") and request by Scope

Marcelo Dias
  • 9
  • 6

1 Answers1

0

You'll need to see authentication seperated from authorization.

Use IdentityServer to authenticate and in general authorize (and by that I mean without context specific claims) the user. While the actual authorization is done locally or by a seperate authorization server.

My setup would be like this:

  • Identity context: users + userclaims. For authentication only. Context independent, e.g. As a freelance consultant I have a specific role in different organizations, while my profession remains the same.

    So the profession claim would be a UserClaim, while Role would be an authorization claim.

  • Authorization context: users (id = sub claim) + per application: roles, permissions, etc. In seperate 'local' databases or in a central database. Context specific, for authorization only. Take a look at PolicyServer.

    Instead of or combined with an authorization server you can implement resource-based authorization.

  • Business context: users (Id, Name, 'foreign key' sub claim, without the actual database relation as the table is outside the context) + teams, profile, settings, etc. Linked to the sub claim value when users table is omitted.

See my answer here for additional information.

  • Thanks again @Ruard . But what I do not understand is where and how will I store the TenantId in runtime to query the data in DbContext (Global Filter) Your authorizing suggestion I do not understand, will I have to have an authorization for each tenant and asign the authorization with all users of this tenant? – Marcelo Dias Nov 28 '18 at 10:18
  • Instead of IdentityServer let the PolicyServer add claims to the Identity. If you take a look at the source (PolicyServer.Local), then you'll see that in middleware an identity and claims are added. But you also can think of another approach where tenantid is part of the User in the business context. In that case you don't need claims. –  Nov 28 '18 at 10:25
  • Hi, Ruard. Unfortunately the PolicyServer is a paid product(My company and team is small). Your suggestion to leave TenantId as Idsrv's own context is easy it is easy migrate a single key to guid (my example above) than to keep an authorization server – Marcelo Dias Nov 28 '18 at 10:47
  • The local version is opensource: https://github.com/policyserver/policyserver.local –  Nov 28 '18 at 11:03