How to handle multiple single tenant app registrations in Azure AD in OWIN

Question

My problem is as follows: We have customers who want to login to our app using Azure AD (Microsoft work accounts). Due to organizational issues, it is impossible to set our tenant to act as a hub, where we have app registration and just invite other tenants to join their users to ours.

Instead, what we had to do is to just login to customer tenant (we have access). So, we created app registration directly in customer tenant, set our app with this app registration tenant id, client id, client secret, and logging users from that tenant works just fine.

I understand that it's not ideal. However now a second customer shows up, which will work in the same way. Now, the problem is how to handle changing client id and client secret at runtime? Authority can be set to common, so it will find correct tenant by user email provided, however, in order to authenticate, I have to know where the user is coming from (customer A or customer B) and then set clientId and clientSecret for that request based on that.

At the moment, I have middleware registered in OWIN (app.UseOpenIdConnectAuthentication) but I have to set it up with some values at startup time from config. I tried to use event "RedirectToIdentityProvider" but changing values there just doesn't seem to work - they are always the same since creating the middleware.

How can I make it work correctly, and authenticating users from both customers to their own respective app registrations?

Answer 1

I tried to reproduce the same in my environment and got the results like below:

Creating Multi-Tenant application would be the ideal solution to achieve your scenario.

And then you can make use of organizations endpoint to make requests from multiple organizations.

For sample, I used the below endpoint:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=517a7938-f193-4d79-972a-b4a9fd12dc48
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345

The user is logged in successfully like below:

Due to organizational issues, it is impossible to set our tenant to act as a hub, where we have app registration and just invite other tenants to join their users to ours.

Assuming that multi-Tenant application is not suitable due to your organizational issues, you can try the below:

You can make use of RedirectToIdentityProvider property like below:

public void ConfigureServices(IServiceCollection services)
{
    services
    .AddAuthentication()
    .AddOpenIdConnect(options =>
        {
            options.Events.OnRedirectToIdentityProvider = context =>
             {
                  var identity = context.HttpContext.User.Identity;
                  var clientId = "find your client id";
                  var clientSecret = "find your client secret";

                  context.ProtocolMessage.ClientId = clientId;
                  context.ProtocolMessage.ClientSecret = clientSecret;

                  return Task.FromResult(0);
              };
         });
}

Otherwise, you can also use separate authentication middleware instances for each customer.

• You need to register multiple middleware instances in OWIN, each with its own set of configuration variables for the appropriate customer's app registration.

If still the issue persists, you can modify the code something like below;

RedirectToIdentityProvider = async n =>
 {
var customerId = n.OwinContext.Request.Query["customerId"];
if (customerId == "xxx")
{ 
n.ProtocolMessage.ClientId = "client_id_xxx";
n.ProtocolMessage.ClientSecret = "client_secret_xxx";
else  if (customerId == "***")
{ 
n.ProtocolMessage.ClientId = "client_id_***";
n.ProtocolMessage.ClientSecret = "client_secret_***";
}

References:

OpenIdConnectEvents.OnRedirectToIdentityProvider Property

Is there any way to change client_id and client_secret on the fly by Feras Taleb