使用IdentityServer4的子域多租户登录

Question

i'm trying to implement multi tenant application with identityserver4 let's say i have

• web1.local.com
• web2.local.com

when i logged in to web1.local.com other domain which is web2.local.com also automatically logged in.

is there anyway to separate these logins?

i was thinking to have custom implementation of IUserSession

public virtual async Task CreateSessionIdAsync(ClaimsPrincipal principal, AuthenticationProperties properties)
{
    if (principal == null) throw new ArgumentNullException(nameof(principal));
    if (properties == null) throw new ArgumentNullException(nameof(properties));

    var currentSubjectId = (await GetUserAsync())?.GetSubjectId();
    var newSubjectId = principal.GetSubjectId();

    if (!properties.Items.ContainsKey(SessionIdKey) || currentSubjectId != newSubjectId)
    {
        properties.Items[SessionIdKey] = CryptoRandom.CreateUniqueId(16);
    }

    IssueSessionIdCookie(properties.Items[SessionIdKey]);

    Principal = principal;
    Properties = properties;
}

private void IssueSessionIdCookie(string sid)
{
    if (Options.Endpoints.EnableCheckSessionEndpoint)
    {
        if (GetSessionIdCookieValue() != sid)
        {
            HttpContext.Response.Cookies.Append(
                Options.Authentication.CheckSessionCookieName,
                sid,
                CreateSessionIdCookieOptions());
        }
    }
}

what is the best approach ?

Answer 1

I believe the problem you are having is that once the session cookie is issued by IdentityServer regardless of which application was originally used to sign in, IdentityServer will always skip the login on subsequent requests from any other applications (because of that originally administered session cookie).

To always force the authentication between different applications, you can use the 'prompt' query string on the authorize request and set it equal to 'login'. More information can be found here: http://docs.identityserver.io/en/latest/endpoints/authorize.html?highlight=prompt