We would like to provide a multi tenant application that identifies the tenant based on a subdomain. As authentication server we use Keycloak, in which each tenant has its own realm.
Now we want to authenticate all requests to our application using a auth proxy. If the request is already authenticated (it has a cookie), the request should be forwarded to the backends. If the request is not yet authenticated (it does not have a cookie), the request should be forwarded to Keycloak and to the correct realm based on the subdomain and an oAuth flow should be initiated. After successful login, a cookie should be set so that all subsequent requests are authenticated. This is exactly the functionality offered by oauth2-proxy . However, we have the further requirement that we have different realms that map the individual tenants. This is not possible with oauth2-proxy at the moment.
Is there another solution besides oauth2-proxy that offers this functionality (possibly Nginx or a plugin for it)?
Thanks
OIDC PLUGIN
You could use lua-resty-openidc with any Lua based Nginx system, eg Kong or OpenResty. This is an established plugin that does the same job as oauth2-proxy. You can have multiple instances of it configured, for different paths, representing different tenants:
location /tenant1/ {
rewrite_by_lua_block {
var opts = ...
local res, err = require("resty.openidc").authenticate(opts)
}
}
location /tenant2/ {
rewrite_by_lua_block {
var opts = ...
local res, err = require("resty.openidc").authenticate(opts)
}
}
There are also various ways to look at input criteria, such as an origin
header and re-route accordingly, which can be useful sometimes, though there is a learning curve.
DESIGN
I would question your design a little though. Multiple realms effectively means your apps need to deal with multiple authorization servers, which is a complex setup. Eg APIs need to validate multiple types of access token.
If possible, prefer a solution where you use a single authorization server and simply add a tenant ID claim to access tokens, then ensure that APIs deny access to tenant 2 data for users from tenant 1.
This related answer on multiple realms for a single application also discusses some trade offs around how data can be accessed.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.