Asp.net Core 2 enable multi tenancy using Identity Server 4

Question

I have an IDP (Identity Server 4) hosted with multiple bindings: auth.company1.com and auth.company2.com I also have an API protected from that IDP. So in order to access th

Answer 1

I solved this.

At the protecting API level at the startup class I have this configuration:

services.AddAuthentication("Bearer")
        .AddIdentityServerAuthentication(options =>
        {
            options.Authority = "https://shared-domain-for-every-tenant/";
            options.RequireHttpsMetadata = true;
            options.ApiName = "atb_api";
        });

The magic happens at the IDP level (IdentityServer4), while configuring the IdentityServer I add the option IssuerUri like this:

services.AddIdentityServer(options => {
            options.IssuerUri = "https://shared-domain-for-every-tenant/";
        })..AddDeveloperSigningCredential() ...other configurations ...

When I navigate to https://auth.company1.com/.well-known/openid-configuration the returned document is like this:

  {
    "issuer": "https://shared-domain-for-every-tenant/",
    "jwks_uri": "https://auth.company1.com/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://auth.company1.com/connect/authorize",
    "token_endpoint": "https://auth.company1.com/connect/token",
    "userinfo_endpoint": "https://auth.company1.com/connect/userinfo",
    ...
  }

Notice the issure is a static url while all the other endpoints are specific to the tenant that made the request. This allows the API to validate the access token and also have different endpoints for each tenant (I need this to show a different login screen for each of them).

Hope it helps someone out there :)