Q: Multi-tenant app support?

[iambmelt]

Does using omniauth-azure-activedirectory preclude my app from being multi-tenant? I see that in the below file a tenant identifier is expected; how does that impact me?

---

From examples/rails-todo-list-app/config/environment.rb

# You may want to specify these keys separately for production and test
# environments.
ENV['CLIENT_ID'] = 'YOUR CLIENT ID HERE'
ENV['CLIENT_SECRET'] = 'YOUR CLIENT SECRET HERE'
ENV['TENANT'] ='YOUR TENANT HERE'

# Load the Rails application.
require File.expand_path('../application', __FILE__)

ADAL::Logging.log_level = ADAL::Logger::VERBOSE

# Initialize the Rails application.
Rails.application.initialize!

[iambmelt]

Answered my own question - it looks like the tenant is used for looking up the app registration and not much else....

So multi-tenant is good 👍

[ricalo]

@iambmelt, actually, the tenant is used to validate the JWT token.
The validation occurs in validate_and_parse_id_token

So, any user from a tenant that is different from ENV['TENANT'] will fail the token validation.

I believe this effectively prevents your app from being multi-tenant.

@aj-michael could you confirm/discard this hypothesis?

[aj-michael]

@ricalo No, I do not believe tenant is checked in that method. I cannot currently test this, but that method checks the JWT for expiration, issued at, audience (client id), issuer, not before, and signature.

[ricalo]

Thanks for the prompt answer, @aj-michael

I think the key is that the method checks for payload['iss'].to_s == options['iss'].to_s
The validate_and_parse_id_token method throws an error if the user's tenant is different than the tenant configured by the library.

Currently, I see no way of configure the library to use the common tenant, so I can sign-in with users from multiple tenants.

Here's the error that I see when I try to configure the library with the common tenant.

I guess the question here is how do I configure the library to support users from multiple tenants?