December 23, 2019 at 8:57 am #27292seekbirdyParticipant
We are using Identity Gateway in a setup where it fronts multiple tenants. Auth is done using OIDC authentication code flow against IdentityServer4. Each tenant has its own users with their own properties, roles, etc. The tenants are identified using their domain names and the mapping from the domain name to IdentityServer tenancy is done using a custom Groovy script in IG that mocks the OIDC discovery process as a DiscoveryHandler. This single Identity Gateway has a single clientName/clientId that is shared between all tenants. We wish to have only one client configured in IdentityServer4 and not to enable dynamic registration.
What we want now is to implement the possibility of support authentication via URL of that kind:
https://domain-name/support(as “regular” authentication goes through
https://domain-name). In case of this support authentication, we want the user to be logged in under separate dedicated IdentityServer tenancy (one such an additional tenancy per domain).
At the moment, we experience the problem that when we log in to some domain in “regular” way (without
/support) we cannot log in after this in “support” way (with
/support) until we restart IG (or reload route config), and vice versa. Our tests show that this occurs because of the fact that discovery “web-finger” phase is skipped second time, and consequently the mapping “domain-name” phase is not invoked; so the auth flow is performed with the tenancy that was used the first time.
So, the question is in more general: can we achieve the described functionality using IG and how could this be done?
Thanks in advance!
You must be logged in to reply to this topic.