3

I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.

I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.

This is further secured by roles to limit actions and data access etc.

Question 1 What would be a secure way to save the app id and secret given by that tenant if they use azure AD? In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).

Question 2 I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?

Question 3 Is there a better/standard way to handle this multi-tenant sign in process.

Question 4 Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?

Edit Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.

Improve this question

2 Answers 2

Reset to default
1

Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.

For example, have a look here for a multi-tenant example using asp.net core.

It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.

This blog post may also be useful.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thanks LoekD, i will have a look and upvote if this helped. As i have looked at identityServer but couldn't quite wrap my head around it, due to the fact that the JWT always be generated my my auth service, and not by AZure AD or asp.net Identity
1

I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.

Recommended reading:

  1. How to build a multi-tenant app with Azure AD
  2. How to secure a Web API with Azure AD.
  3. Libraries like MSAL.NET will automatically manage token caches and refreshes.
  4. Use roles and groups in Azure AD
  5. Claims in tokens issued can be customized to some extent.

disclaimer: I work for Microsoft

Improve this answer

5 Comments

The issue I have with this, is that user management then falls to the host of the application and not on the tenant, correct me if i am wrong but if the tenant(Organisation) does not have a Azure AD account, i would create a B2C for them, which in turn would require the host to manage this?
Further more, when it comes to roles, in a scenario where there are System Roles that are static, and Dynamic roles per tenant would that also need to be managed by the AD?
So, its quiet common for an ISV to manage tenants for customers who do not yet have an Azure AD tenant. Its a complicated and frustrating affair, but the gap is closing and hopefully will no longer be a problem in near future. You can use B2C, but B2C still does not support roles, so consider this fact in your planning. There is no such thing as "Dynamic roles" in Azure AD. I think you are referring to "Dynamic Groups". Groups and roles are very different things in Azure AD, please refer to this slightly outdated recorded session to understand th
In my scope, the roles would be in the same line as the built in Identity roles, that would then be build into the claims to determine if the user has access to the resource.
Please go through the session I recommended. roles mean different things in different Microsoft products. I would suggest you fish them all once :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.