Multi-Tenant OAuth/OpenIdConnect using Web API

Question

We are developing an API that uses various methods for users to register viz. Facebook, Twitter, Google and also our own Membership system (built using ASP.NET Identity).

We have many large customers that intend to use our platform and have been requesting us to allow us to integrate with them as an OAuth Provider. That will allow their users to get authenticated against their system and then be linked into our system as External accounts. Almost making them another "Facebook" stype provider within our system.

If this was just a single customer, we could simply use OpenIdConnect and set them up in our system. They would provide us with a client_id and a Metadata URL to use and we'd be able to link these users back into our system.

My question is - How would we do this for multiple such customers with each having their own OpenIdConnect client_id and Metadata? Could I use multiple instances of app.UseOpenIdConnectAuthentication settings in my Web API?

I have seen some samples of MultiTenant Windows Azure AD where they obtain the tenant_id from the claims and integrate, but in this case, we can't really use Windows Azure AD.

Could someone help me understand my strategy for implementation?

Any help would be very much appreciated.

Anup

Answer 1

With the assumption that there is a limited number of your "big customers", here is what I would suggest. Each of these customers would get their own landing page to login, which makes sense in most cases and would have a login with big customer x button on it.

If that can work, take a look at the owin-middleware github project, https://github.com/owin-middleware/OwinOAuthProviders.

I have been able to write an additional oauth provider pretty quickly (oauth2 for azure active directory) and each of these big customers are likely to have some nuances anyway in how they implement oauth. So write a custom provider for each of the customers and then you can easily use config to separate the tenant, clientid and secret.