ASP.NET Identity + Bearer Token + Multi-Tenant

Question

I've created a multi-tenant application using Entity Framework, WebAPI, ASP.NET Identity. Basically it reads the subdomain of the tenant and using it to read the connection string from the database and sets it on runtime.

Everything is great, database is creating etc, but the only issue now is the ASP.NET Identity Bearer Token.

When I've generated a bearer access token for http://tenant1.#####.com/token , it seems that the token is signed on the same application (no machine key was specified) and it's allowing access to http://tenant2.#####.com controllers as well, which shouldn't be the case as it's different subdomains / tenants.

Are there any ways around this? Or perhaps I should be looking into other Security Framework and not ASP.NET Identity?

Answer 1

MVC5 makes it easy to add a tenant name claim to the user identity. In the Models directory, edit the ApplicationUser class in IdentityModels.cs :

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager)
{
    // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
    var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

    // Add claim for tenant name
    userIdentity.AddClaim(new Claim("tenantName", "abcCompany");

    // Add custom user claims here
    return userIdentity;
}

Then when an authenticated request is processed, validate that the User contains correct claim and value.