opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

Support Customer-Specified Tenant IDs

Open db-ot opened this issue 2 months ago • 0 comments

Userstory

As a hoster/operator, I want to be able to create tenants with a customer-specified ID so that tenant IDs in our system match those in the customer’s identity provider.

Description

The system should (optionally) allow tenant creation with a customer-defined ID instead of always generating one internally. The tenant ID might also be provided via the user’s claims from the customer’s identity provider.

Acceptance Criteria

  • It is possible to create tenants with a custom ID provided at creation time
  • Tenant ID can be derived from user claims when provided by the customer’s identity provider
  • Create a config flag
  • Documentation updated on how to run and access the service

Implementation Details

Related ADR: https://github.com/opencloud-eu/opencloud/blob/main/docs/adr/0002-use-education-api-for-multitenant-user-provisioning.md

We plan to use the Education API to provision Users and Tenants in a Multi-Tenant OpenCloud setup. A Tenant matches a "School" in terms of the Education API (https://docs.opencloud.eu/swagger/libre-graph-api/#/educationSchool)

A school, when created using the Education API currently gets a server generated UUID assigned. When assigning a user to a school (tenant), that id is used to store the relation between the user and school. I.e. an attribute (currently openCloudMemberOfSchool) with the value being the UUID of the school is added to the user object on the LDAP server.

For the multi-tenancy setup the users logging in to OpenCloud using OIDC will have an additional claim on their access token that contains their "Tenant ID". That ID however is coming from the customers user management and is different from the UUID that we generated when the School/Tenant was created in our system. We should however validate that the "Tenant ID" in the claims actually matches the Tenant that the user was assigned to with the provisioning API.

Braindump of possible solutions (@rhafer)

A simple way to solve this would be to allow the ID of a School to be provided by the client at creation time (instead of generating one server side).

A more complex way would be to let the client set the "external" Tenant ID as the schoolNumber or externalId attribute on the School object. And have add some logic to the accountresolver or oidc middleware in the proxy service that is able resolve the external tenant id as supplied via the oidc claim to the internal tenant id as stored in the user object. (E.g. by calling into the Education API Endpoints).

A third way could be to just keep the server generated UUIDs intact, but let the client set an externalId attribute on the School/Tenant during creation and instead of using the UUID for storing the user <-> tenant assignment just uses the externalID

I've a slight preference for the first solution, it's a bit unclean as it relies on user supplied IDs for the assignment, but it's probably the most pragmatic solution.

db-ot avatar Oct 02 '25 10:10 db-ot