'Solve multitenant login at scale

I'm in a real build or buy struggle. GCP identity platform would serve almost all our needs.

Basically I want to build usermanagement on my own (including rbac and groups) and ONLY want to solve Login and tokens with the below requirements. I know quite a bit about jwt and authentication in general. The question I'm asking my self is just of its better to build a solution on my own or to use one existing.

Is there any alternative which supports the following:

  • multi tenancy (at scale >10k tenants)
  • MFA
  • social login
  • SSO with oidc and saml
  • and of course persistence (using refresh tokens)

Are there any tipps for self building? Are there any alternatives? Any direction is greatly appreciated 🙏

PS:

None of these are what I need: Ory, keycloak, okta, auth0, fusionauth, gluu

authenticationoauth-2.0openid-connectmulti-tenantgoogle-cloud-iam


Solution 1:[1]

USER DATA

When you integrate OAuth there are always 2 sources of user data:

  • The identity data's view of users
  • Your own business data's view of users

I think what you are saying is that you want finer control over user data, while also externalising difficult security work.

TOKENS AND CLAIMS

The identity system should be able to include values such as Tenant ID in access tokens, regardless of which data source each value is stored in.

Similarly the User ID in your business data is also likely to be needed in tokens. This value should be provided to your APIs in a consistent way, regardless of how the user signs in, and this is managed via account linking.

DESIGNING END-TO-END FLOWS

The main thing is to think through how these will work, for both new and existing users. This detailed Curity article provides some worked examples.

CHOOSING A SOLUTION

Don't choose a third party identity system until you've designed your end to end flows and clarified your requirements. The key thing about OAuth is that it requires extensible building blocks, rather than being an out of the box solution.

Some companies start with home grown identity microservices, which can become a lot of work, but may be ok in the early days. I always recommend keeping application code portable, so that you can migrate to a better provider in future, if needed.

Solution 2:[2]

Are you only considering open source solutions? Azure AD ticks all of your boxes.

Solution 3:[3]

You should not implement security logic like authorization or authentication or encryption yourself. IMO its always better to use an existing solution - especially features like MFA are not trivial to implement.

None of these are what I need: Ory, keycloak, okta, auth0, fusionauth, gluu

Why is that? It seems to me most of those are a good option for you - especially the open source ones

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Gary Archer
Solution 2 Delta George
Solution 3 vinckr

Related Questions

Trying to create the database using ABP framework while DB Migration

How To Create A New Database For Each Tenant on Laravel Sail, Docker

Azure Ad multitenant applications registration with client credentials flow

Query through all provided schemas

Spring Boot Multitenant - Access data from multiple schema at the same time or per http request using spring boot

Design / Implement Transactional Outbox pattern in schema isolated multitenant application

How to authenticate users from different realms against a single application?

DRF/Multi-tenant - How to specify tenant host (domain) in unit tests?

Multi tenant in Firestore

I was trying to implement per tenant one database using ABP framework but couldn't succeed with that approach

Entity framework core multi tenant : auto increment column based in another column value

Hibernate + spring multi tenancy wrong schema selected

How to implement multi-tenancy in new Spring Authorization server

How does cookie based authentication work?

Django Authenticate returns None