Skip to content

Multi-Tenancy Support

A single OpenID configuration may contain multiple client configurations, but it may contain only OpenID Provider configuration.

Multi-tenancy support refers to a single application accommodating multiple tenants, each with their own separate OpenID configuration.

For the majority of use cases, a single OpenID configuration is sufficient and multi-tenancy support is not required.

As with a single OpenID configuration, multiple OpenID configurations may be specified using JSON, programmatically through the configuration API or by implementing the IConfigurationResolver interface.

The following is an example outline of multiple OpenID configurations.

"OpenIDProvider": {
  "$schema": "https://www.componentspace.com/schemas/openid-config-schema-v1.0.json",
  "Configurations": [
    {
      "Name": "Tenant1",
      "ProviderConfiguration": {
      },
      "ClientConfigurations": [
      ]
    },
    {
      "Name": "Tenant2",
      "ProviderConfiguration": {
      },
      "ClientConfigurations": [
      ]
    },
    {
      "Name": "Tenant3",
      "ProviderConfiguration": {
      },
      "ClientConfigurations": [
      ]
    }
  ]
}

The Name property uniquely identifies each of the OpenID configurations.

Configuration Selection

Prior to invoking any OpenID API operation, a OpenID configuration must be selected. This is done by setting the ConfigurationName to specify which OpenID configuration should be used for the current request property.

The following example specifies the OpenID configuration to use when processing an authentication request.

// Identify the tenant (application specific, details not shown).
var tenantName = GetTenantName();

// Specify the OpenID configuration.
_openIDProvider.ConfigurationName = tenantName;

// Receive and process the authentication request.
var authenticationRequest = await _openIDProvider.ReceiveAuthnRequestAsync();

Identifying the Tenant

The application is responsible for identifying the tenant and therefore the name to specify when setting the ConfigurationName property.

Possible methods include:

  • Separate subdomain names for each tenant
  • Query string parameter
  • Special HTTP headers or cookies
  • IP address ranges