access token scoped to organization

[slabiak]

Is it possible to issue tokens scoped to only one organization? Currently if there is one user who belongs to two organizations and in one org he is admin and in second he is just a regular user then when such user logins we have one access token which grants access to both orgs. I would prefer if i could give to login url some info to which organization we are trying to log in and in access token i would like to have only info about that organization. Reason: Currently my backend needs to have some additional info for such users apart from access token to resolve correct tenant database, and this info currently comes either from additional request header or from subdomain. It would be better to have that info in token instead of resolving it from subdomain/request header.

[xgp]

You can map the organization information into the token https://github.com/p2-inc/keycloak-orgs#mappers and then the application can decide what to show the user based on the organization->role associations. This extension is not a policy enforcement point for authorization.

[slabiak]

Yes, i know about this mapping and i have this mapper added, but as I said, i have have a token for user which is in two organizations, let's say orgA and orgB and I have my backend application with endpoint api/user/me and I have two seprate databases for orgA and orgB. Then when a call is made to backend app to api/user/me backend doesn't know which db to choose, whether it should be db for orgA or db for orgB cause token says user belongs to both orgs. In other words when you login to keycloack you are logged in to all orgs instead of a single one. I can solve this by adding request header to all calls which will specify org name and then backend will know which db to usebut i would prefer solution where during login i specify to which tenant user tries to login and in access token to have max 1 organization listed.

[xgp]

Thank you for the additional context.

you are logged in to all orgs instead of a single one

That is correct. The extension, and thus the token design, are meant to represent the identity of a user. A user may be the member of many organizations, and there are many use cases where applications need to know all of the organizations the user is a member.

backend doesn't know which db to choose

Pass an orgId to your backend in the request or the header. I think you laid out the most appropriate solution.

Net is, this extension doesn't work the way that would be convenient for you. However, we're happy to look at designs and PRs for any backwards compatible changes you suggest.

[slabiak]

it's not that i want it for me cause it's just convienient for me, I asked this question in the context of integration my app with zapier, which I'm currently researching and I think more users could benefit for possibility of such integration. In zapier you need to provide token and auth url to your app oauth server, then user is redirected to login page where it grants permission to zapier with appropriate scopes and zapier exchanges code to token and then can make calls to our app. The problem is that zapier will have now token with access to all user's organizations, that's why I wanted to select org during login and have only that org present in the token. I will try to researrch this topic more and if I find some solution I'll share it here.

[ludgerey]

+1

Limiting access token to only one organization, would be really helpful.

Having the selected organization in the token would be helpful in microservice architecture, where you pass the token to the services.

Auth0 does it this way: Include organization in authenticate request and organization is included in tokens. Source: https://auth0.com/docs/manage-users/organizations/using-tokens

[xgp]

Reopening if someone wants to:

1. Write a comprehensive specification for how this should work
2. Write the code and PR it
3. Validate (by writing comprehensive tests) that "selecting" an organization is never a requirement of any of the functionality in this extension

We have had several requests for an "active organization" idea. There's an open question as to why that should live in the token. The purpose of an IAM system is to provide identity information, not keep application state. From the perspective of separation of concerns, the IAM system should know what organizations the user is a member of, and the application should know what the current "selected" organization is. This is how we do it in our applications (like the hosting dashboard for our self-service product), and we've found it to be the correct separation.

However, many people have asked for it, so it someone would like to build it according to the above, we're happy to look at a PR and include it, despite not agreeing with it in principle.

[ludgerey]

The purpose of an IAM system is to provide identity information, not keep application state.

I wouldn't say it's a application state. It is more like limiting the scope of a token.

How scopes work is quite similar: a user might have several scopes available, but a application can decide to only request a subset of that available scopes.

Translating this concept to organizations would be ideal: A user might have several organizations, but a application can (or must?) decide to only request one of the available organizations.

[xgp]

Thank you for the description. Looking forward to the PR!

[MGLL]

Hello @ludgerey @slabiak I made a contribution for active organization as we had a similar need.

You can have look if it also matches what you were looking for.

[xgp]

Closing for #150