I'm writing a cloud based multi tenant application. I'd like tenants to manage their own users - add, remove users - manage permissions etc. I'm kind of hoping there is a provider out there that already handles this. I don't want to have to write all those screens. I'd rather set up the list of roles and permissions and let the tenant admins go in and manage their users.
All I want if for a logged in user to get a list of permissions. I can code against those permissions in my application.
Does such a thing exist?
Disclosure: Answer provided by an Auth0 employee.
If I understood correctly you should be able to accomplish your goals using Auth0 solutions aimed at multi-tenant applications. There are a couple of resources that should help you get started, although I would give particular focus to Using Auth0 with Multi-tenant Apps.
In the section (A single Auth0 account for all tenants) you'll notice that the simpler management option would be to only have a single Auth0 account, however, your use case could be accomplished by having each tenant have their own separate account which would make it possible for them to manage their users from Auth0 built-in dashboard. (no need for you to write custom screens)
One account for all tenants is simpler and allows you to manage them in one place.
Only if you want to share access to the dashboard with tenants would a separate Auth0 account per tenant be required.
Also check section (Different roles for each tenant) for a possible way on how to handle your user role and permission information.
Additionally, there's a sample multi-tenant app where each tenant has its own Auth0 account on Github if you want to delve into the more technical aspects.
On the other hand, if your tenants already have their own authentication solution in place you can easily integrate that with your Auth0 enabled SaaS application. See Building multi-tenant, SaaS applications with Azure AD and Auth0 for a detailed example on Azure AD integration, but don't think you would be restricted only to Azure AD integration as Auth0 supports a wide range of identity providers (Identity Providers Supported by Auth0).
Related
Im trying to add user roles into my spring security application(the end goal is to make a role for paid users). Im using oidc for authentication. I have 3 different applications, one client, one resource server and one custom auth server(used to login with username and password). I have also integrated google as login option directly into my client application. looks like this. Both using authorization code flow.
The problem I encounter is how to integrate user roles the best way. Because Im thinking that all users should be stored at one place.
When users login/registrer with username and password I can get/store the account in the auth server's database. But when someone uses google I have no idea how to store the user.
My questions is:
When someone login with google my client and google are communicating. But is it possible to somehow make my custom auth server act like a "middle man" so I can store and get data, probably from the jwt token? That would be great for implementing my user roles.
Yes, this "man in the middle" is pretty common. It is called identity federation.
Quite a few OIDC authorization-server on the market support "social login" (login with Google, but also Facebook, Github, etc.) and role management.
Keycloak is a famous "on premise" sample, but there are also many SaaS ones like Okta, Auth0, Amazon Cognito,...
I have a keycloak deployment where I am federating users from a legacy DB. So far this is working good. Now I'm trying to add some clients that will be our API users. Creating, adding roles, and creating a service account seems to be all good as well.
But I need these service accounts to be in table where my federated users are. My app uses ACLs which based on my user table.
I don't see anything in the develop guide. Is this possible?
Here's the context :
I have currently a Corporate Azure AD tenant (Teams, ...) and created a B2C tenant dedicated to my customers which I plan to use for my website authentication.
I guess It is the purpose of the "multi-tenant" option when registering the app but I wonder If I can limit only to the two tenants I own and not opening my website to anyone which has a Microsoft account (for what I understand reading the Microsoft documentation).
If anyone which had already set up a similar authentication process can guide me maybe or just give me some tips to do website authentication by checking if the user account is valid in one of the two tenants ?
Thank you in advance and feel free to ask if you need any more information (maybe I wasn't clear enough).
In Azure AD B2C using custom policies you can set up sign-in for Multi-tenant Azure AD which allows users from multiple Azure AD tenants to sign in, without you having to configure an identity provider for each tenant.
In the custom policy using https://login.microsoftonline.com/ as the value for ValidTokenIssuerPrefixes you can restrict access to specific list of Azure AD tenant users who can sign in.
Please refer the above mentioned document on how to sent up the configuration, as you can see in the add claim provider section how to configure multiple organizations/Tenants with the comma separator.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
Please refer documentation and samples which helps you in getting started with custom policies
I got absolutely confused when trying to understand the differences between MicrosoftAccount, AzureAD and OpenIDConnect authentications.
I am trying to build a .Net Core MVC app that allows some users to authenticate with local accounts, but some with Microsoft accounts. I do need to have a local user in DB for both types of authentications as I have some custom authorization mechanisms built on that.
I started with creating the app from template and selected "local accounts" authentication. Then I added the MicrosoftAccount authentication according to this tutorial (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins?view=aspnetcore-3.1). This is using Microsoft.AspNetCore.Authentication.MicrosoftAccount and seems to be working fine.
However, when I create a new app from template and select "work or school account" authentication I can see it uses a different library - Microsoft.AspNetCore.Authentication.AzureAD.UI. It seems to do the same thing. I can see there are events I could hook into to connect the AAD user with my local DB.
Looking through the web I found some other tutorials that were using OpenIDConnect for the same purpose.
How are those methods different? Which one should I use and why?
In future I would like to be able to query the user's directory for a list of other users. Would that requirement be easier met with either of those three methods?
MicrosoftAccount: This is the login with a general Microsoft account, using OAuth2. This is also what Microsoft will refer to as “private account” and useful when you want to authenticate someone just using their Microsoft login as an external authentication provider. This is similar to how you would sign in to sites with your Google account.
AzureAD: This is the sign in to a specific Azure tenant. This is often understood as a “work or school account” because it doesn’t sign people in using a public account but rather some account bound to some organization. Usually, you would have an Azure tenant where you have direct users (or configure it to allow external users) but you want to control access through that Azure AD.
OpenIdConnect: This is the general OpenID Connect protocol which you can use to sign in with many different authentication providers because it is a protocol that many of them will support. You can use OIDC to sign in to either of the above (and many other services) but that will require you to do some more configuration as you will need to figure out specific addresses for example.
You can always use the OpenIdConnect or the OAuth authentication scheme to authenticate with most authentication providers but those are the “manual” schemes which will require you to configure additional things. All the other authentication schemes, including MicrosoftAccount and AzureAD but also the other ones like Google or Twitter build on top of those protocols and come preconfigured so that you do not need to set up much else. So those are mostly for convenience and for more specialized support.
So when you want to authentication through Microsoft or Azure, then you should choose MicrosoftAccount or AzureAD. Which of those depends on where you want to authenticate with. If you have an Azure AD, then you should use that.
We currently have Azure Active Directory with several thousand users in Active Directory. What does IdentityServer4 provide that I cannot get with connecting my .NET and/or Java apps to AAD alone? Can AAD provide me with an auth token that can be used to access the front-end app as well as the back-end API?
The key benefit is control (you can model your clients and resources and taylor your UX as you see fit) and the ability to use it as a federation gateway. E.g. if you need to support multiple customers many of which may want integration to their own IDP.