itpropro
commented
1 day ago Hi @schinois this is currently not supported. Just from an OIDC perspective it would also mean having three different client applications with their respective audience, redirectUri, etc. configuration. In a multitenant scenario, the clientId should stay the same, as the client is always the same frontend application (except you have completely different instances of you application, which is just a separate configuration for each instance then) and the different tenants should then be handled by claims in the token. You could use custom claims in your IdP, custom roles or whatever it supports. You should also be aware of what the audience of the auth process is. Are you going to use the token to access your apps api then the audiece should be the clientId of the api, hinted by a resource hint on login. If you have separate customer domains because of a SSO requirement, your IDP should have the customers oidc provider added as trusted/federated party and should handle that internally with a hint via. query params from the frontend.
Hi,
for my project I want to work with a subdomain as a multitenant : x.domain.com y.domain.com z.domain.com
I would like to specify x, y or z as clientid during login workflow to get it during callback in the azp claim. The goal is to make a full hermetic token for each client if i'm working for both x and z client and be sure that x's data will not go to y back api. By this way my token will have a claim with it's own tenant (x, y or z) in its "azp" claim.
Can you tell me if this feature is supported or give me your ideas to do it by myself (or maybe have you a better idea ?) ?
Thank you in advance :)