nuxt-oidc-auth icon indicating copy to clipboard operation
nuxt-oidc-auth copied to clipboard
verified publisher icon itpropro

Change/specify client id dynamically

Open schinois opened this issue 1 year ago • 7 comments

Hi,

for my project I want to work with a subdomain as a multitenant : x.domain.com y.domain.com z.domain.com

I would like to specify x, y or z as clientid during login workflow to get it during callback in the azp claim. The goal is to make a full hermetic token for each client if i'm working for both x and z client and be sure that x's data will not go to y back api. By this way my token will have a claim with it's own tenant (x, y or z) in its "azp" claim.

Can you tell me if this feature is supported or give me your ideas to do it by myself (or maybe have you a better idea ?) ?

Thank you in advance :)

schinois avatar Sep 23 '24 18:09 schinois

Hi @schinois this is currently not supported. Just from an OIDC perspective it would also mean having three different client applications with their respective audience, redirectUri, etc. configuration. In a multitenant scenario, the clientId should stay the same, as the client is always the same frontend application (except you have completely different instances of you application, which is just a separate configuration for each instance then) and the different tenants should then be handled by claims in the token. You could use custom claims in your IdP, custom roles or whatever it supports. You should also be aware of what the audience of the auth process is. Are you going to use the token to access your apps api then the audiece should be the clientId of the api, hinted by a resource hint on login. If you have separate customer domains because of a SSO requirement, your IDP should have the customers oidc provider added as trusted/federated party and should handle that internally with a hint via. query params from the frontend.

itpropro avatar Sep 24 '24 00:09 itpropro

Hi @itpropro ,

thank you for your quick answer and your advice that i will follow. Regarding the subdomains, i made some changes to your module to force the redirect url in config..ts validateConfig() method :

(config as any)["redirectUri"] = (config as any)["redirectUri"].replace("tenant",tenant);

It works perfectly, but is there any other way to perform this without change any code ? Thank you in advance.

schinois avatar Sep 29 '24 19:09 schinois

Hi @itpropro ,

thank you for your quick answer and your advice that i will follow. Regarding the subdomains, i made some changes to your module to force the redirect url in config..ts validateConfig() method :

(config as any)["redirectUri"] = (config as any)["redirectUri"].replace("tenant",tenant);

It works perfectly, but is there any other way to perform this without change any code ? Thank you in advance.

Can you specify exactly what you changed so I know what you mean? I don't know if I understand your use case exactly, but if you could specify a little what currently works for you, I think we could integrate this into the login function as an optional parameter.

itpropro avatar Sep 30 '24 16:09 itpropro

Hi @itpropro ,

for example, user has access to "front" clientid with "orga1" and "orga2" audiences (maybe he works half for orga1 and the rest of the time for orga2). He can open 2 tabs in its browser, add bookmarks etc... for both orga1 and orga2. So i want to use the subdomain as tenant : orga1.domain.com orga2.domain.com

and so, the callback url of oidc will be xxx.domain.com/auth/keycloak/callback. Actually it's not possible because the callback url is set in the config file and cannot be updated/used dynamically.

There is what i have done on my side (i'm sure it's not the prettiest solution, but it works :D ) :

` * Validate a configuration object

  • @param config The configuration object to validate
  • @returns ValidationResult object with the validation result and the validated config stripped of optional properties */ export function validateConfig<T>(config: T, requiredProps: string[], event: H3Event): ValidationResult<T> { const missingProperties: string[] = [] let valid = true;

(config as any)["redirectUri"] = ${getRequestURL(event).protocol}//${getTenant(event)}.${process.env.NUXT_HOST}:${process.env.PORT}${useRuntimeConfig().app.baseURL ?? '/'}auth/keycloak/callback; `

schinois avatar Sep 30 '24 18:09 schinois

So you want the configured callback uri to be set based on the current host? Do I understand it correctly that you basically hosting the same application under multiple subdomains so it would not be possible to manage this by environment variables?

itpropro avatar Sep 30 '24 22:09 itpropro

So you want the configured callback uri to be set based on the current host? Do I understand it correctly that you basically hosting the same application under multiple subdomains so it would not be possible to manage this by environment variables?

Yes absolutely :)

schinois avatar Oct 03 '24 22:10 schinois

Thanks for clarifying! Customizing the redirect uri by handing it over to the login composable is in the backlog. It will work like the additional logout parameters, where you have to create a allowlist in the config of the parameters you want to allow to be overwritten.

itpropro avatar Oct 04 '24 00:10 itpropro