User URL Restriction Per Tenant Based on Claim

Finbuckle / Finbuckle.MultiTenant

Finbuckle.MultiTenant is an open-source multitenancy middleware library for .NET. It enables tenant resolution, per-tenant app behavior, and per-tenant data isolation.

https://www.finbuckle.com/multitenant

Apache License 2.0

1.3k stars 265 forks source link

User URL Restriction Per Tenant Based on Claim #131

Closed aceptra closed 4 years ago

aceptra commented 5 years ago

Thanks for your help on this previous issue: https://github.com/Finbuckle/Finbuckle.MultiTenant/issues/107#issuecomment-457787672

We've progressed (after dodging some other projects here and there). Either per-Tenant SSO Provider or Shared works (for the auth cookie).

We're using the url for the tenant store. How can we restrict URLs per user? Maybe this is in the examples already.

User1 has a claim saying "Tenant1" . If that User browses to https://site/tenant2/ he should be rejected. Maybe this is in the framework already.

AndrewTriesToCode commented 5 years ago

Hi, if you use the normal ASP.NET Core authorization it should prevent them because if they visit that url they will not be logged in (if your per tenant cookie options are set correctly). If that doesn’t seem to be working for you post a sample of your code and I’ll be happy to go into more depth.

On May 2, 2019, at 7:52 AM, aceptra notifications@github.com wrote:

Thanks for your help on this previous issue: #107 (comment)

We've progressed (after dodging some other projects here and there). Either per-Tenant SSO Provider or Shared works (for the auth cookie).

We're using the url for the tenant store. How can we restrict URLs per user? Maybe this is in the examples already.

User1 has a claim saying "Tenant1" . If that User browses to https://site/tenant2/ he should be rejected. Maybe this is in the framework already.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

AndrewTriesToCode commented 5 years ago

hi @aceptra , just want to follow up. Were you able to figure out how to make it work how you wanted?

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

terencevs commented 4 years ago

Hello, sorry to post to old request, but I have a similar use case:

I have an api using WithRouteStrategy, example: https://localhost:5000/tenant1/contacts, https://localhost:5000/tenant2/contacts

What I want to do as part of my authentication is to check if the auth token has claim tenant1 and if so allow the request if not access denied.

Any help with trying to achieve this would be greatly appreciated.

AndrewTriesToCode commented 4 years ago

@terencevs I am working on something like this for the next release. For the moment you'd have to do it manually by adding the claim and the authorization check yourself.

I think you'd want to have it be a global authorization policy that compares the tenant in MultiTenantContext.TenantInfo to the user's claim. The harder part is setting the claim in the first place, but I would recommend hooking the appropriate authentication event and adding the claim there.

terencevs commented 4 years ago

@achandlerwhite this is my first attempt:

services.AddControllers(options =>
            {
                var policy = new AuthorizationPolicyBuilder()
                .RequireAssertion(ctx =>
                {
                    var context = ctx.Resource as Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext;
                    var tenant = context.RouteData.Values.First(a => a.Key == "__tenant__").Value.ToString();
                    return ctx.User.HasClaim("tenant", tenant);
                }).Build();

                options.Filters.Add(new AuthorizeFilter(policy));
            });