Angular + Google Identity Platform multi-tenancy

Question

I have an Angular app that currently uses Firebase auth and Firebase hosting. I'm considering moving to Google Identity Platform with multi-tenancy. In this scenario a tenant ID must be passed to the auth object in the Angular app.

My question is how we can find the appropriate tenant ID dynamically. If we used subdomain names or paths in the Angular app to distinguish between tenants, we would need to map from those human-friendly names to the Google Identity Platform tenant ID. For example, a subdomain might be:

tenantname.mysite.com

But the tenant ID would be something like

tenantname+some_random_string

Is there a way to do this securely, given that the user hasn't logged in yet, so we can't use eg an authenticated API call, or a map on a database with Firebase security rules?

The Google docs suggest allowing the user to choose from a list but that solution doesn't work for us.

Answer 1

The short answer is, no, you must specify the tenant in order to authenticate the user. One approach that balances security and user-friendliness is a two-staged approach:

1. Maintain a user to tenant map that is updated whenever a user is added, modified or deleted in a tenant. Use asynchronous triggers to manage this and store email, tenant ID and status (enabled/disabled).

2. Create a simple secured REST API endpoint on Cloud Run that returns the tenant or tenants associated with that email.

The login flow is then very similar to Google's own authentication flow:

1. Your login form will have a single field for an email address. The user enters their email address and submits the form.

2. The email address is sent to the API endpoint that returns the tenant or tenants it's associated with.

3. The password input field appears and the user completes authentication process against the correct tenant. If more than one tenant appears they must select their desired tenant.