search

3scale / APIcast

3scale API Gateway
Apache License 2.0
305 stars 169 forks source link

We need separate authentication(different OIDC issuers) for different Consumer Organizations(audience) #1334

Open pritish-nitb opened 2 years ago

pritish-nitb commented 2 years ago

We have multi tenancy for the consumer organizations where each organization is part of a different openId realm. So when each consumer calls the API that we publish on 3scale, it only calls with a token from it's own OIDC issuer. However, in apicast configuration it only allows us to add one openID connect issuer so we are not able to validate the tokens of all the consumer organizations. (audiences)

Version

2.7

[provide output of the nginx -V or openresty -V command from openshift/local terminal] [provide timestamp of the docker image from docker inspect --format='{{.Created}}' quay.io/3scale/apicast:master ]

Steps To Reproduce
  1. Publish any service on 3Scale (Pay attention to openID connect issuer in apicast configuration)
  2. Call the API using the tokens you got from two diffrent oIDC issuers (realms in redhat SSO)
  3. The call doesn't go through as oissuer doesn't match
Current Result

401 error

Expected Result

We are trying to find out if 3Scale can authenticate even if we have consumer organizations in diffrent redhat SSO realms and still expect the calls to work

Additional Information
guicassolato commented 2 years ago

@pritish-nitb, 3scale only supports one OpenId Connect issuer endpoint per facade API product. This would be therefore an RFE; one particularly challenging to implement IMO if extended to other components of the API management system such as 3scale/porta and 3scale/zync, which usually handle the synchronisation of the clients in Red Hat SSO.

Have you explored using groups instead of realms for modelling multi-tenancy in Red Hat SSO? Here's an example from the community: https://medium.com/swlh/using-keycloak-for-multi-tenancy-with-one-realm-7be81583ed7b.

navinyashende commented 1 year ago

@guicassolato Would it be possible to write a custom authentication policy that authenticates the token and returns the response in required format? We have a similar requirement where there are two IDPs, one of them is RH SSO and other one is custom.