2

I am in the process of setting up a solution with an ASP.NET Core WebApi, a Javascript client (with oidc-client-js) and an IdentityServer4 with Identity.

I have followed different tutorials and guides and have come to a solution that works well.
When accessing the JS client while not authenticated, I am redirected to the IdentityServer, where I can successfully log in and am redirected back to the JS client with my bearer token, which I then use to consume the API.

The system will have to support multiple "tenants", all sharing the same DB though. The idea is to access the JS client with a tenant key in the URL and pass it on: www.mydomain.com/{tenantKey}/someSubPage

I would like to read tenantKey and pass it IdentityServer using a custom HTTP header like X-My-Tenant-Key. IdentityServer should then include this key in the authorization process.

I have checked oidc-client-js' GitHub page and done some further research, however I was not able to find out how this could work.

The alternative would be to include the key in IdentityServer's URL and apply some MVC routing magic, or to somehow do some dirty stuff with the redirect_uri.
Before trying any of this, though, I wanted to see if I might be missing something here.

This is how my JS client prototype handles it right now:

// Setup
var config = {
    authority: "http://localhost:50000",
    client_id: "myClient",
    redirect_uri: "http://localhost:65000/callback.html",
    response_type: "id_token token",
    scope: "openid profile email myApi",
    post_logout_redirect_uri: "http://localhost:65000/index.html",
};
var mgr = new Oidc.UserManager(config);

...

// Signing in
mgr.signinRedirect();
Davide De Santis
  • 922
  • 1
  • 10
  • 25

1 Answers1

3

Don't know if this is what you are looking for, but you can pass the Tenant Key as query parameter through "acr_values" from your client to Identity Server(Authorization Server). This is meant for situation like yours. You need to add acr_values to your client :

config = {
authority: "http://localhost:50000",
client_id: "myClient",
redirect_uri: "http://localhost:65000/callback.html",
response_type: "id_token token",
scope: "openid profile email myApi",
post_logout_redirect_uri: "http://localhost:65000/index.html",
acr_values : "tenant:your_tenant" };

Then you can access the values in your Authorization Server through Authorization Context for example : 

string tenant = context.Tenant;

You can read the docs, one of its use is exactly for passing tenant information.

LalitaCode
  • 410
  • 4
  • 10
  • I actually just found this out by accident, while debugging after having implemented another solution (which I can still use for something else). Thanks! – Davide De Santis May 23 '20 at 17:25
  • It is also possible to pass 'idp:name_of_idp' in arc_values to bypass the login/home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration) – Sundeep May 13 '22 at 02:53