search

nuages-io / nuages-identity-2

ASP.NET Core Identity UI
https://nuages.io
Apache License 2.0
65 stars 5 forks source link

Multi tenancy supportable #5

Open abhishekp21 opened 11 months ago

abhishekp21 commented 11 months ago

Thank you for the fantastic project @martin-masse @martinmasse @jafin . I truly appreciated the way you presented the code, which is production-ready.

I have a specific requirement regarding multi-tenancy. In the scenario where a user belongs to multiple tenants, I'd like to implement a login process where the user first encounters the login screen. Once their credentials are verified, they should be presented with a list of tenants they are associated with. After selecting a tenant, I need to generate a token that includes the tenant ID.

I've noticed that most solutions online wrt the openiddict use URL-based tenancy, where the tenant details are part of the URL. However, I dont want to rely on this URL strategy, as it would require users to know multiple URLs for each tenant login. Is there a way to achieve this without relying on the URL strategy, perhaps using acr_values? Your guidance on this matter would be greatly appreciated.

Once again, thank you for your contribution to this project.

martin-masse commented 11 months ago

Since you seems to share the identity across tenant I think it would be simpler to send the tenant id from your client instead of having it in the token (ex. request header).

Otherwise, you could also do this...you need to modify some code.

  1. Add a new auth scheme (look for NuagesIdentityConstants.EmailNotVerifiedScheme) Ex. .AddCookie("MyTenantScheme)

  2. Add a ne page and applied the Auth scheme to the page (look at EmailNotConfirmed.cshtml on how to do this)

  3. Change SignInResultModel to add a new state (Ex. TenantIdMissing)

  4. Change login.js to handle the new state and redirect to your new page (including redirect url)

  5. Change CustomSignInOrTwoFactorAsync to return the new state when the signin is valid.

So what will happen is

  1. The User will redirected to the login page
  2. The user will login with success
  3. The user will be redirected to the tenant selection page
  4. The tenant is selected and the user will be redirected to the caller with the authorization response.

The selected tenant can be saved to wherever you want (session, redis, etc). Then you just have to add a claim in the authorize endpoint.

This is not complete solution and might include some error but I should give you an idea on what to do.

Good luck

abhishekp21 commented 11 months ago

Thanks for your quick response. Let me try it out.