-1

We created a multi-tenant SaaS application and I need to change client_id dynamically. How can i change client_id and client_secret in OnRedirectToIdentityProvider event ?

Bahadır Civelek
  • 157
  • 2
  • 9
  • Why would you need to change the client_id? –  May 22 '19 at 07:07
  • another question is what needs to be changed: when client_ settings on the client side, then it has nothing to do with identityserver, when Clients on identityserver side, then it has nothing with `OnRedirectToIdentityProvider` event – d_f May 22 '19 at 09:42
  • 1
    then *multi-tenant* usually means just introducing the *tenant* property/claim and concern it when fetching or handling the data, but changing the name of an application depending on the tenant it's currently working with -- that's a totally wrong approach – d_f May 22 '19 at 09:55
  • @d_f yes u right. we need to change our way. – Bahadır Civelek May 23 '19 at 20:26

1 Answers1

0

As mentioned in the comment for @d_f it's a wrong approach. The right approach to do that is passing the tenant id from client to IdentityServer using the event : OnRedirectToIdentityProvider
Example 

    options.Events.OnRedirectToIdentityProvider = (loginRedirectContext) =>
                {
                    var servicesProvider = loginRedirectContext.HttpContext.RequestServices;
                    var tenantInfo = servicesProvider.GetRequiredService<IRequestContextTenantInfo>();

loginRedirectContext.ProtocolMessage.SetParameter("tenantId", tenantInfo.Id);


                    return Task.FromResult(0);
                };

In The Identity Server You can read it in Login Action method like this : 

var _interaction = context.RequestServices.GetRequiredService<IIdentityServerInteractionService>();
                var returnUrl = context.Request.Query["ReturnUrl"].ToString();

                var authContext = await _interaction.GetAuthorizationContextAsync(returnUrl);
                tenantId = authContext.Parameters["tenantid"];

Now based on tenant id you have to know which tenant you have to connect with to verify the login process.

It's also a good practice to inject a specific custom middleware in IdentityServer4 to handle the multitenancy in the early stage in the request pipeline Example in Configure method in Startup : 

 app.UseMultiTenancy();
 app.UseIdentityServer();

and UseMultiTenancy() method will read the tenant parameter that is sent from client.

Feras Taleb
  • 688
  • 1
  • 4
  • 14
  • you suggest to (partially) reimplement what's already done. when a client passes `n.ProtocolMessage.AcrValues = "tenant:some-tenant";` with auth request, IdSrv extracts it for easy access, just `context.Tenant;` see [this question/answer](https://stackoverflow.com/questions/48384484/multitentant-identity-server-4) for the reference – d_f May 23 '19 at 13:28