authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

Tenant : Change URL logic

Open MaximeWewer opened this issue 1 year ago • 2 comments

Is your feature request related to a problem? Please describe. I'm using tenant functionality and having some issues due to URL prefix logic:

  • I need to add a DNS entry for each tenant to my DNS
  • Security issues => tenant enumeration: with prefix url you can do enumeration on authentik domain
  • Bypass limitation related to domain matching. Some service providers can manage multiple IdP providers and match the domain for it. With suffix logic, you can implement multiple IdPs without a problem.

Describe the solution you'd like I would like to see tenant suffix URL logic

Actual : tenant1.authentik.com

Would like : authentik.com/tenant1/ Or : authentik.com/UUID of tenant/ => To remove domain enumaration

Describe alternatives you've considered We can imagine a toggle to keep the current logic and let the user choose the preferred logic

Additional context I think we can imagine two queries to fill in the context: Check the suffix pattern first and if it doesn't match, perform the current query. https://github.com/goauthentik/authentik/blob/ba3e78c75a9580b17583fe83add75f36bf840e03/authentik/tenants/utils.py#L17

MaximeWewer avatar Jul 04 '23 14:07 MaximeWewer

Linked to https://github.com/goauthentik/authentik/pull/8675

MaximeWewer avatar Apr 25 '24 10:04 MaximeWewer

+1

cfradewavecom avatar May 10 '24 13:05 cfradewavecom

(For context, the tenants mentioned in this issue have been renamed to "Brands" since)

This is not something we'll change anytime soon. The main idea behind "Brands" is to have separate branding on completely separate domains. To prevent domain enumeration, you could use a wildcard certificate

BeryJu avatar Jul 11 '24 16:07 BeryJu