search

JonPSmith / AuthPermissions.AspNetCore

This library provides extra authorization and multi-tenant features to an ASP.NET Core application.
https://www.thereformedprogrammer.net/finally-a-library-that-improves-role-authorization-in-asp-net-core/
MIT License
764 stars 155 forks source link

User who has rights in several tenants #68

Closed fdonnet closed 1 year ago

fdonnet commented 1 year ago

Hello,

What a great, precise and clear job you did to build this multi-tenant permissions system.

I m trying to read your code an I have a question about the AuthUser and his tenant attribution. I can be competly wrong but it seems you always need to attach a "standard/normal" user to one tenant max (or tenant hierarchy).

And my question: can we imagine a case, when an external contractor will be affiliated to several companies owning a "tenant" each and in this case he will be forced to register with different userid/useremail for each tenant ? And if we choose to use external auth provider (Google/Azure other) he will not be able to register with the same auth method on serveral tenants ?

I m maybe missing something (a param or a segregation I didn't see or something) that allows this use case "horizontal multi-tenants user" ?

Thx again for this awesome github repo.

JonPSmith commented 1 year ago

Hi @fdonnet,

You are correct, this library doesn't support a user logging into more than one tenant. In fact, the client that asked me to design / build a multi-tenant app needed this feature because a person might work in two shops, but it was a real pain to implement. It needed a pre-login stage for users that have access to more than one tenant to select which tenant they want to log into, and each tenant has a different set of Roles/Permissions for the user because they might a different job in each tenant.

What I did for my client was fixed on a specific authentication provider and I wanted the AuthP to work with any authentication provider. Also I knew the AuthP library was going to be complex, both for me to build / document but also for developer to understand, so I didn't provide the "one user / many tenants" feature.

I have learnt a lot while building this library and I think I could implement a "one user / many tenants" feature that works with any authentication provider, but its complex to write and complex for developers to understand. So, sorry I'm not going to work on this - my next job is adding multi-language handling to the library, see issue #58.

fdonnet commented 1 year ago

thx for your return. And sry that I didn't see #56 where my question was already discussed before ;)

JonPSmith commented 1 year ago

No problem. I gave more information because your question was so clear.