0

In a multi-tenant deployment of Web application, How can the Asp.Net Core Web API services be designed to work with different authorization services? The Web applications use OAuth and JWT Bearer authentication and pass access token to the Web API services.

enter image description here

One approach that I could think of is to, get the Authority from the Request to understand the identity source and redirect to the respective authorization service.

==>

To elaborate further, When the Web Applications are deployed the Authorization service details (Audience, Authority and others) are shared with the API service as shown in the diagram below. This should not be a problem since we deploy the Web application and integrate it with the client's identity management system.

enter image description here

In the requests to API service, the Web app must include app_id along with the access_token in the request headers. This will directs the API service to validate the token with the corresponding authority.

In order to make this work, we have to implement the complete JWT bearer validation middleware. Is this a proper approach and achievable? are there any other solutions used in these situations?

Improve this question
2
  • Presumably, the list of potential OAuth providers is known beforehand? (otherwise there would be nothing to stop a client setting up their own provider)
    – richzilla
    Commented Feb 13, 2018 at 8:40
  • The list of authentication providers are NOT known beforehand but we do have the control on the deployment and the integration of the web apps and auth providers.Mostly, the authentication providers are multiple client Active Directory services.
    – KDR
    Commented Feb 13, 2018 at 9:28

2 Answers 2

Reset to default
0

Technically, your approach would work. The token will have the authority embedded in it (the 'issuer' claim), you can use that to retrieve the public key, then you can validate the JWT.

Improve this answer
2
  • I suspect whether this is possible. How will the API service get the public key without knowing the authority? I've elaborated the approach further in my question.
    – KDR
    Commented Feb 13, 2018 at 16:36
  • Presuming your access tokens are JWTs, they will specify an issuer claim. You can read this claim to identify which authority created the token.
    – richzilla
    Commented Feb 13, 2018 at 16:43
-1

Check out http://identityserver.io/ It's a middleware to handle all the auth for you

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.