Multi-tenancy with and IdentityServer 4 and Angular with oidc-client

Question

We are developing a multi-tenanted application using Angular 6. Each tenant accesses the application using their sub-domains, say, client1.app.com, client2.app.com etc.

For authentication purposes, we are using IdentityServer 4. We have followed steps similar to the ones mentioned at: https://identityserver4.readthedocs.io/en/release/quickstarts/7_javascript_client.html.

All works well - the point we are stuck on is how do we specify the redirect_uri in the Angular client application.

As you are well aware, the redirect-uri is used by the Identity Server to return back the authentication results and info. As per the oidc-client library the redirect_uri is a string and we cannot specify multiple values. However, in our case based on the client's sub-domain the redirect-uri will differ and has to be dynamic.

Has anyone encountered similar situation? Am I overlooking anything? Any pointers to solve the above will greatly help.

Thanks Sushil

score 0 · Accepted Answer · answered Nov 28 '18 at 17:14

0

You will need to set the redirect_uri in your client to be resolved from the host (using window.location or whatever solution you want to use here). Then every tenant will pass this URI when accessing Identity Server.

On the Identity Server side, in the Client object, the RedirectUris property is a collection, so there you should add all your tenants' redirect uri's (don't forget the PostLogoutRedirectUris too).

answered Nov 28 '18 at 17:14

m3n7alsnak3

3,026
1
15
24

Thanks - this is what we have done currently - does any know if it has any security flaws? – Sushil Nov 29 '18 at 05:50
What do you mean by that? If you think it makes it less secure - no it doesn't. The level of security is the same as it is with only one instance. – m3n7alsnak3 Nov 29 '18 at 15:56
Thanks @m3n7alsnak3 – Sushil Dec 06 '18 at 10:06

Multi-tenancy with and IdentityServer 4 and Angular with oidc-client

1 Answers1