search

dotnet / systemweb-adapters

MIT License
340 stars 61 forks source link

Multidomain session/authentication support #267

Open urbanowiczpiotr opened 1 year ago

urbanowiczpiotr commented 1 year ago

Is there any way or plans to support multidomain session and/or authentication scenario? I'm trying to migrate existing ASP.NET SaaS multiple subdomain app (subdomain1.example.com, subdomain2.example.com etc), provided multiple Routes/Clusters in ReverseProxy configuration and it works greats. The next step would be setting RemoteAppUrl in AddRemoteAppClient options, but in this case it must be different for each subdomain.

I've checked both RemoteAppClientOptions and RemoteAppAuthenticationService, but don't know how to do that (easily) without overriding huge part o code.

twsouthwick commented 1 year ago

@urbanowiczpiotr thanks for the issue - I don't think this was part of our initial design. Can you help me understand your scenario a bit more?

1) Are you planning on using just authentication or would you want to enable session support? 2) Does it matter which backend you use? i.e. will you need to be able configure certain endpoints to go to certain backends?

I'm assuming we'd want to address the more complicated of these scenarios which would be both auth and session that have requirements for specific backends. My initial thoughts are that we can use named options for the RemoteAppClientOption to allow registrations. The next question is how do we coordinate which backend for which system.

1) For authentication, we can maybe piggy-back the concept of scheme to disambiguate and coordinate things 2) For session, we may need to add a property to the session metadata so we can identify the backend required for each endpoint.

/cc @Tratcher @mjrousos as FYI and if you have thoughts on how/if we want to do this

mjrousos commented 1 year ago

+1 to @twsouthwick's comment. This scenario isn't covered by the initial design here. If you can share more details on your scenario, @urbanowiczpiotr, that would be great.

Sharing auth with multiple backends seems possible if we allow configuring remote app auth multiple times with different scheme names. Session may be trickier, but @twsouthwick's idea of annotating which backend to use in session metadata might work.

urbanowiczpiotr commented 1 year ago

Thanks for response. Answering your questions:

  1. I am planning to use authentication, but suppose someone could be interested in session support also.
  2. I would like endpoints to go certian backend or another based on Request.Host value, i.e. request towards subdomain1.example.com goes to subdomain1.example.com:1234, while request towards subdomain2.example.com goes to subdomain2.example.com:1234. This would be mapped based on routes's 'Hosts' key from YARP configuration, e.g:
"ReverseProxy": {
    "Routes": {
      "route1": {
        "ClusterId": "cluster1",
        "Match": {
          "Path": "{**catch-all}",
          "Hosts": ["subdomain1.example.com" ]
        }
      },
      "route2": {
        "ClusterId": "cluster2",
        "Match": {
          "Path": "{**catch-all}",
          "Hosts": [ "subdomain2.example.com" ]
        }
      }
    },
    "Clusters": {
      "cluster1": {
        "Destinations": {
          "destination1": {
            "Address": "https://subdomain1.example.com:1234/"
          }
        }
      },
      "cluster2": {
        "Destinations": {
          "destination1": {
            "Address": "https://subdomain2.example.com:1234/"
          }
        }
      }
    }
  }