Hey I am trying to implement multi tenancy for our cloud imp

Question

Hey I am trying to implement multi tenancy for our cloud implementation single instance for all customers This is the implementation I have in mind 1 An organisation entity is linked to an OpenID Connect provider 2 A link is generated for logging in via a specific OpenID Connect provider `https example com auth org id=oidc provider id` 3 People visiting this link start the OAuth2 OIDC login flow with the organization specific OIDC provider 4 Users that newly register log in are automatically added to the specific organization I am now trying to figure out how to handle this on the SuperTokens Next js side Within the `getServerSideProps` function of the `auth` route I can load the specific integration id secret and issuer url from the database However it is unclear to me on how I would then utilize this information with the SuperTokens SDK since it is a singleton that is initialized once and cannot be initialised per request Do you have any pointers here

rp · Answer

hey < n1ru4l>

rp · Answer

so essentially on the frontend you want to set the provider list in the thirdparty recipe based on the `id` in the query params

rp · Answer

On the backend you can initialise all of the providers and dynamically load their config during API calls You want to override the signinup and getauthorisationurl API on the backend to fetch the config of the tenantID from your db You can get the teantId from the request object somehow Then set the config in the the userContext before calling the original implementation This userContext with the config will be available in your custom provider s definition in the `get` function

n1ru4l · Answer

> On the backend you can initialise all of the providers and dynamically load their config during API calls Since providers are added removed dynamically and we can potentially have hundreds that does not seem like a nice solution

n1ru4l · Answer

oh wait i misunderstood

n1ru4l · Answer

okay let me try this

rp · Answer

Ok

rp · Answer

I could show it to you on a call sometime tomorrow or on Thursday

n1ru4l · Answer

let me try how far I get today if not lets schedule a call

rp · Answer

Sounds good

n1ru4l · Answer

thank you

n1ru4l · Answer

Okay it seems like my `authorisationUrlGET` override is not used at all I added a simple override with a console log and it never shows up The HTTP call initiated by supertokens react to `http localhost 3000 api auth authorisationurl thirdPartyId=org 7Ckekeke` simply gives me ` message The third party provider org|kekeke seems to be missing from the backend configs ` ``` const getOIDCOverrides = => console log it is applied for sure const override ThirdPartEmailPasswordTypeInput override = apis originalImplementation return originalImplementation async authorisationUrlGET input console log input return originalImplementation authorisationUrlGET input return override ```

n1ru4l · Answer

I added a console log for the `apis` function it seems like that one is not invoked

rp · Answer

Oh yea You need to add a provider with that id in the provider list in the backend for it to work

n1ru4l · Answer

Any workaround if we don t know the list of oidc providers upfront

rp · Answer

Hmm On the backend you would need to add all the ones that your app can integrate with

n1ru4l · Answer

Uhmm but we generate the id on the fly as an user adds an integration to the org

rp · Answer

Hmm I see But how will the SDK know how to integrate with that org without you specifying info for it like the auth exchange url or how to get the profile info from that org

n1ru4l · Answer

it will load it from the db

n1ru4l · Answer

we store client id secret encrypted and issuer url in the db

rp · Answer

Yea that s fine But the actual integration with that info is on a per provider basis For example the way you get the user profile from Microsoft AD is different compared to something like LinkedIn

n1ru4l · Answer

The userinfo is received via the OpenID Connect UserInfo endpoint

rp · Answer

You would also need to store the mapping of id token to user info then Like which field in the id token corresponds to the email for example

n1ru4l · Answer

Yeah but that is not really related to this issue no It is something that must also be solved for sure but I cannot get to this point yet

rp · Answer

Right yea Ok so I have an idea

rp · Answer

Essentially you create one generic open id client which some is like generic

rp · Answer

On the frontend and backend

rp · Answer

And then on the backend you not only load the client id client secret etc config but also the auth urls for that provider from the db

rp · Answer

And then dynamically inject all of those in the generic provider on the backend

rp · Answer

Including info about how to get profile info from the id token

n1ru4l · Answer

Oh so the organization specifc auth id would be an additional query parameter

rp · Answer

Yea A custom param in the request

n1ru4l · Answer

``` export const startAuthFlowForOIDCProvider = async oidcId string => let authUrl = await getAuthorisationURLWithQueryParamsAndSetState providerId org authorisationURL `$ env appBaseUrl auth callback org` const url = new URL authUrl url searchParams set oidc id oidcId authUrl = url toString window location assign authUrl ```

n1ru4l · Answer

Is it possible to add a query parameter to the callback url

n1ru4l · Answer

or will the oidc provider complain as it also adds query parameters

rp · Answer

You want to add info to the state in this case

rp · Answer

What s the use case of adding extra info

n1ru4l · Answer

oh so org is the generic provider but also we need to know which org it is right So that is why we also need to somehow pass the open id connect provider id

rp · Answer

I see When handling the callback Makes sense

rp · Answer

Oh and you may also want to modify the value of thirdpartyid in the signinup function to add the actual provider id to the input value of thirdpartyid so that in the db users are not all shared for the same thirdpartyid

n1ru4l · Answer

< rp> Okay so the biggest question really is how I could provide inject the organization specific id into all steps in a secure way that would not allow an attacker to inject a random one

n1ru4l · Answer

Into `thirdPartySignInUpPOST` and `authorisationUrlGET` to be precise

n1ru4l · Answer

for `authorisationUrlGET` just relying on the `referer` headers seems to be safe enough

n1ru4l · Answer

but for `thirdPartySignInUpPOST` I need a safe way

rp · Answer

you can use the state Also even if an attacker injects a different org specific ID in `thirdPartySignInUpPOST` it won t work cause the auth code exchange will fail

n1ru4l · Answer

Potentially stupid question Where do i access the state

rp · Answer

Well yea You will need to add that as a custom prop in the request body from the frontend and access it on the backend

n1ru4l · Answer

``` authorisationRedirect this contains info about forming the authorisation redirect URL without the state params and without the redirect uri param url `$ oidcConfig domain authorize` params client id oidcConfig clientId scope openid email response type code redirect uri `$ env appBaseUrl auth callback oidc` state oidcConfig id ```

n1ru4l · Answer

so here i pass the state to the oicd provider within a custom TypeProvider on the backend

n1ru4l · Answer

how does okta any other oidc provider give me back that state

rp · Answer

Query param in the callback URL

n1ru4l · Answer

Does SuperTokens by default add a state query parameter

n1ru4l · Answer

Seems like I would need a way of overriding `generateStateToSendToOAuthProvider`

n1ru4l · Answer

figured it out

n1ru4l · Answer

I think there is a bug with the `getAuthorisationURLFromBackend` function override `options` ``` getAuthorisationURLFromBackend input const maybeId unknown = input userContext oidcId if typeof maybeId === string return originalImplementation getAuthorisationURLFromBackend input options preAPIHook async options => alert NANI const url = new URL options url url searchParams append oidc id maybeId return options url url toString return originalImplementation getAuthorisationURLFromBackend input ``` The `preAPIHook` seems to never be invoked

rp · Answer

< nkshah2> can have a look at this sometime tomorrow

n1ru4l · Answer

worked around this by instead having a global `preAPIHook` override

n1ru4l · Answer

I just pushed this code by the way https github com kamilkisiela graphql hive pull 524 commits cbac51e63db1ff1e1b8913dda3802458f181eb1b

rp · Answer

Thanks < nkshah2> can have a look at this to see if there is a bug in the SDK

n1ru4l · Answer

This is the code that does not seem to be called https github com kamilkisiela graphql hive pull 524 commits cbac51e63db1ff1e1b8913dda3802458f181eb1b diff 338fad0be944e0a8ff64f473dcb1f33e7b79e572b6d855fd8d91d620eb77c9d1R19 R39 This is the workaround https github com kamilkisiela graphql hive pull 524 commits cbac51e63db1ff1e1b8913dda3802458f181eb1b diff 60e5f6f1bc00bfc86d7bc174d51d45159fd05bdd09e754763add674f1a82ee79R56 R73

n1ru4l · Answer

< rp> Thank you so much for all the help today

rp · Answer

Happy to help Thank you as well for giving us insight into what needs improving

nkshah2 · Answer

Hi < n1ru4l> can I see how you are using `getAuthorisationURLFromBackend` I tried setting up a sample project and the pre api hook works correctly for me

n1ru4l · Answer

< nkshah2> Did you test it on Next js

n1ru4l · Answer

could this be related to a dependency of supertokens being resolved to the wrong version

nkshah2 · Answer

Ill setup a sample app to test with NestJS in the meantime what version of supertokens web js are you using

n1ru4l · Answer

https codesandbox io s distracted nash 44sm51 file= src index tsx 1036 1130

n1ru4l · Answer

I have a minimal reproduction

n1ru4l · Answer

I call `getAuthorisationURLWithQueryParamsAndSetState`

nkshah2 · Answer

Ah thanks for that ill have a look

n1ru4l · Answer

It is not next js related it seems

nkshah2 · Answer

Right I can reproduce the bug and ill be working on a fix for this if you like you can open an issue about this in `supertokens auth react` to keep track of progress on this

nkshah2 · Answer

And yeah its not NextJS specific

n1ru4l · Answer

I just saw https github com supertokens supertokens auth react pull 606 < nkshah2> thank you