I have 2 software with different business logic,different database, both are multi tenant, every user has the TenantId property to identify the data of their organization
dbo.Xpto.Where(x => x.TenantId == userLogged.TenantId);
I am wanting to unify the login and implement identityserver
, I have the doubt, how will I capture the user tenantId
if it has different tenantId
in each software?
I thought of adding claims, for example new Claim ("SoftwareOne:TenantId", 123)
and new Claim ("SoftwareTwo:TenantId", "8f8b8d87-fc07-4508-a33a-2b5f55820836")
and request by Scope
You'll need to see authentication seperated from authorization.
Use IdentityServer to authenticate and in general authorize (and by that I mean without context specific claims) the user. While the actual authorization is done locally or by a seperate authorization server.
My setup would be like this:
Identity context: users + userclaims. For authentication only. Context independent, e.g. As a freelance consultant I have a specific role in different organizations, while my profession remains the same.
So the profession claim would be a UserClaim, while Role would be an authorization claim.
Authorization context: users (id = sub claim) + per application: roles, permissions, etc. In seperate 'local' databases or in a central database. Context specific, for authorization only. Take a look at PolicyServer.
Instead of or combined with an authorization server you can implement resource-based authorization.
Business context: users (Id, Name, 'foreign key' sub claim, without the actual database relation as the table is outside the context) + teams, profile, settings, etc. Linked to the sub claim value when users table is omitted.
See my answer here for additional information.