• caglararli@hotmail.com
  • 05386281520

Multi-tenant SPA with multiple OIDC providers

Çağlar Arlı      -    3 Views

Multi-tenant SPA with multiple OIDC providers

I'm building a multi-tenant app that has the unusual requirement of allowing tenants to use their own choice of external systems for login/authentication

ie: tenant 1 uses Azure AD, tenant 2 uses Auth0, tenant 3 uses Github etc.

The plan is that the app recognizes the tenant (from the url) and offers the appropriate login link to their identity provider, which on success returns an id_token to the client app.

The app (a spa, so non confidential) then passes the id_token in each request to the API Gateway, which checks the token is valid, then uses the token to look up the users authorization rights in an internal user database. These scopes are then passed to the internal back-end APIs.

I'm aware that id-tokens are for the client and access tokens should be used for authN - but in this case the external identity providers are not aware of the users scopes (readCustomer, writeInvoice etc) so cannot issues an access token containing them.

MY QUESTION is am I potentially making an insecure world of pain for myself - or, under the circumstances, is this a practical solution?

Would it be better to only pass the id_token once to the API Gateway/an internal identity provider controlled by us, then have that return access/refresh tokens from then on?

Is there a better way to achieve these requirements?