Skip to content
This repository has been archived by the owner on Feb 16, 2024. It is now read-only.

Support for multiple application configuration options #10

Open
MikaBerglund opened this issue Feb 14, 2021 · 8 comments
Open

Support for multiple application configuration options #10

MikaBerglund opened this issue Feb 14, 2021 · 8 comments
Assignees
@MikaBerglund
Labels
enhancement New feature or request
Milestone
vNext

Comments

@MikaBerglund
Copy link
Contributor

Sometimes it would be useful to be able to use multiple application configuration options and provide a mechanism where the application could select which configuration to use when authenticating users. An application could also allow the user to select how they want to log in.

Some use cases for this configuration

  • Allow corporate users to select Azure AD and consumers to select Azure AD B2C or any other Idp.
  • Use one application (single-tenant) for employees and another application (multi-tenant) for external users with a different set of default scopes than configured for employees

This can be implemented in for instance Azure AD B2C, where users would select the IdP from a list of providers, but having it configurable directly in the application would make it a more integral experience to the user.
@MikaBerglund MikaBerglund added the enhancement New feature or request label Feb 14, 2021
@MikaBerglund MikaBerglund added this to the vNext milestone Feb 14, 2021
@MikaBerglund MikaBerglund self-assigned this Feb 14, 2021
@cloudtidings
Copy link

Hi @MikaBerglund is feature available? I am looking for a option for the user to type the Tenant before the authentication, as some users accounts would have access to many tenants

@MikaBerglund
Copy link
Contributor Author

No, it's not yet available. It's still on the backlog. For the moment, you can allow users to log in from multiple tenants by creating your application as a multi-tenant application. However, then you allow users to log in from any tenant, so if you want to control which tenants they log in from, you have to take care of that in your application, after the user has logged in.

@cloudtidings
Copy link

However, then you allow users to lo

You mean ask the user to logon twice?
What I am looking for the user to type the tenant before the user clicks on logon. It would be useful if we could pass the tenant name in the authentication. I am using a blazor server app and the below code is on the Startup.cs (ConfigureServices). Is there a way to change the authority later ?

           .AddBlazoradeMsal((sp, o) =>
            {
                var root = sp.GetService<IConfiguration>();
                var config = root.GetSection("AzureAd");
                o.ClientId = config.GetValue<string>("clientId");
                o.TenantId = config.GetValue<string>("tenantId");
                o.Authority = config.GetValue<string>("authority");

                o.DefaultScopes = new string[] { "openid", "User.Read" };
                o.PostLogoutUrl = "/loggedout";
                o.RedirectUrl = "/login";
                o.InteractiveLoginMode = InteractiveLoginMode.Popup;
                o.TokenCacheScope = TokenCacheScope.Session;
            })               ;

@MikaBerglund
Copy link
Contributor Author

No, they don't have to log in twice. In a multi-tenant application, users can log in to the same application using an account from any tenant.

@MikaBerglund
Copy link
Contributor Author

If we have multiple tenants that users can choose from, then we also need to configure an application in each of these tenants, because you always need an application in the tenant that users sign in to, unless you have a multi-tenant application.

@cloudtidings
Copy link

then we also need to configure an application in each of these tenants, because you always need an application in the tenant that users sign in to, unless you have a multi-tenant app

Yes. I am building a multi-tenant app. But because a user can have many tenants, I need to them to be able to select the tenant before working on the app

@MikaBerglund
Copy link
Contributor Author

They select the tenant by choosing which login they use. The domain in every login is connected to an Azure AD tenant. If you don't have a vanity domain associated with a AAD tenant, then you log in using [email protected]. If you have associated a vanity domain with a tenant, then you log in with [email protected].

The tenant that you then configure in the application's configuration is the tenant where you have registered your multi-tenant application, which can be different from the tenant that your users log in from. The tenant and application ID (client ID) always go hand in hand.

@svrooij
Copy link

svrooij commented Jun 20, 2023

You can have an account [email protected] which is a guest user (and assigned an application role) in a second tenant domainc.onmicrosoft.com.

Then the tokens you get change if you send either domaina.com (or organizations which defaults to the home tenant) as tenant or domainc.onmicrosoft.com.

The iss scope will change depending on the choice. That way you can use one account to access a multi-tenant application as if you got a second account in the customers tenant.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@MikaBerglund MikaBerglund

Labels
enhancement New feature or request
Projects
None yet
Milestone
vNext
Development

No branches or pull requests
3 participants
@svrooij @MikaBerglund @cloudtidings