I am pretty new to Microservices and I am confused how to easily manage different type of user through all microservices.
Let start with thee Idea:
I have a list of UserType like : SiteManager, Driver, Owner, SupportPerson- this user types had specific properties each and using a single type [USER] is not relevant, but I can use roles to manage authorization for specific microservice - this can be achieved using role manager. I would like to have different user types and Link Models to an IdentityUser like:
Driver [UserId, LocationPoint, CurrentVehicle,LicenseNumber].
Owner [UserId,Email...]
SiteManager[UserId,SiteId,Email,LocationPoint]
This 3 Types of User will handle 3 different Mobile Applications, and each application will bind to an API, or an AggregatorAPI
Identity.APILogin (create user token and pass across Services). Register -> Register a USER and return USER_ID
Driver.API Register a Driver (Call to Identity.API and get a valid User ID then create a Driver Entity), Do stuff on Driver.API
SiteManagerAPI Register SiteManager(Call to Identity.API and get a valid User ID), create order for drivers
Identity User should be a separate DB
So my questions is: Can I call my IdentityAPI microservice to create and save a new User, then I can use this
UserId to link to a new Driver Or SiteManager or SupportPerson, and in the same time using Identity microservice to Manage Authentification and Authorization? Or maybe someone has any ideas how to handle a multi-user type scenario when for each user type we need a separate table.
Related
I'm building an Angular 11 app with AWS Amplify as the backend which uses Appsync, dynamodb and a managed GraphQL API. I'm using the cognito user pools to authenticate. Authentication works neatly, but I am really confused about how to go about doing role-based authorization. I haven't done this using cognito before but I have a strategy in mind that should theoretically work out. I would like advice on if there is a better way to do this:-
Requirements:-
The app will be used by members of organisations that we are partnering with. Every member will be tied to an organisation. So organisations have their own table and so do members. Members of an organisation can only access content related to their organisation. So right after authentication, the client app has to get the id of the organisation the current user belongs to and also the role they play in that organisation to show/hide UI resources and filter data. Which UI resources they can access depends on the role they play in that organisation and of course the data they see there has to be restricted to what is related to their organisation.
This is a controlled beta release of our application, so Cognito user pools uses email and password to login. No other login option is provided for the sake of keeping things simple. User sign up is not possible. Only admins can add new users for now.
How I plan to do this:-
Cognito API is integrated to the client and the admin will add the
new members from the client UI and the client will add them to the
cognito user pool via the Cognito API
While adding the new members, the admin will specify which
organisation they belong to and what role they play in it. But the
organisation and role are not details that are stored within the
user pools. There is a separate dynamodb table called "members"
which stores these information because these can change frequently
and need to be flexible.
Additions made to the Cognito user pool trigger a lambda function
that automatically syncronizes the "members" table in the amplify
backend in a dynamoDB table with the new additions to the user pool.
So when the admin adds a new user from the client UI, they
fill out a form with the email ID, name, organisation and role of
the new user, and the client UI will create that user with the name
and email ID in the user pool via the cognito API. Once that request
returns the user's ID (remember it will also trigger the creation of
a record in the member's table via the lambda funciton), we create a
mutation to the member's table adding the organisation and the role to the user's record in the member table.
Cognito user pool only has the email ID, name and user ID and
nothing else, all other information is stored in the members table,
which also has the ID, and name (for human reference) but not the
Email ID. We will not be holding the same information in
these two tables to avoid redundancy.
Updates to the email ID can be made by individual users via the
client app which will do it in the cognito user pool via the cognito
API. And no updates need to be made to the member table after email
update since the member table doesn't have the email ID. All other
member details can be made to the members table via the client app.
When the user logs in, as soon as the cognito UI authenticates the
user and sends over the email ID and user id, we fetch the member
details from the member table using the user ID and get details such as their name,
organisation they belong to and their role. And using the
information on their role, we can restrict UI resources using flags
in the UI Code. To achieve this, there will be a separate table that
will let the admin user modify access to the UI resources for each
role. So we'll need to fetch the role and the associated UI tags
right after authentication as well.
And as for how data is filtered as per the organisation, I am not
sure yet, but I would like to use an authorizer that will be
specified using a function in the graphql schema itself, that will
get the organisation ID with each request and use that to filter the
data before returning to the client.
Not sure if this process is solid, but this is what I was able to fathom. Please let me know if I am doing this in a sensible way or if there are better ways to achieve what I am doing.
Cannot find anywhere on Google Identity Platform docs that clearly describe whether it's possible to assign a single user to multiple tenants. see https://cloud.google.com/identity-platform/docs/multi-tenancy-managing-tenants
My project needs the capability to have a single user be able to login to multiple, separate tenants. Currently, I have to create a new user on every tenant I want to be able to login to. This is not good because each new user I create has a different uid and separate password management. For a single user, I want to be able to maintain the same uid across tenants so the associated user data can be consistent as well.
I was thinking there would be some way to create a user at the project level (not tenant level) and then assign that user to specific tenants?
Some random thoughts: The docs say some things about migrating users between tenants, perhaps that is one way. Also was thinking that creating a tenant user with my existing project-level uid would somehow merge them so the uid and password management is the same?
Edit: I found this conceptual discussion to be helpful: https://softwareengineering.stackexchange.com/questions/403274/multitenancy-with-cross-tenant-users
what I gathered from that link is that SSO is separate from multi-tenancy. So I'm trying to figure out an SSO solution on top of multi-tenancy google idp. Any code solutions/suggestions for how to add SSO on top of multi-tenant google identity platform?
If you need the same user across tenants maybe you should instead rely on the user email, custom claims, federated ID (eg. user.providerData[0].uid). When you get an ID token for the user you have access to this same information regardless of the tenant or user.uid.
I created a multi-tenant application where each tenant have different set of users. I am trying to implement a functionality where same user might exist in different tenants. Does outsystems provide such functionality or I have to create my custom logic ?
Right now, I did create a user having same username in 2 different tenants and during login I am showing user to select tenants. But on changing tenants and logging to that tenant, the environment doesn't switch to that tenant that user has selected.
Below is the image of the logic of switching tenants and logging in the customer.
During debugging I saw that after executing TenantSwitch action it did change the Site.TenantID property but after User_Login action is reverted to the first tenant not the one user selected.
When you use User_Login(), the system will log you in the first Tenant it finds in the DB that has that username, thus ignoring your TenantSwitch().
So, if you want to login to a specific Tenant in your case, you need to be more explicit and instead use the Login() action - after the tenant switch.
For a thorough explanation of this, with example code, please check out the following deepdive Master Class on Multi-Tenancy starting around the 27:20 minute mark.
This isn't available out of the box as OutSystems assigns users (and all entities) to a specific tenant. Entities belonging to single tenanted modules are assigned to the default tenant.
OutSystems uses a hidden .Tenant_Id attribute on each entity to indicate which tenant that user belongs to. You can unhide this attribute for the users entity by selecting it, clicking More... and then ticking the relevant box in the Advanced tab. You can then access the attribute directly, but be aware this will hinder OutSystems' ability to do some of the stuff it does automatically to ensure that you access tenant specific data.
When you use the User_Login action OutSystems will deduce which tenant to use from the User.Tenant_Id attribute regardless of which tenant you've switched it to previously. The user would need an account for each tenant they need to use, but there's no reason this couldn't be done behind the scenes with OS fetching the correct username before logging in. You'd need to ensure they all stay in sync though, especially the passwords ofc.
We're designing a green field multitenant (web/mobile) system, and plan to use IdentityServer4.
I lieu of first-class multitenant support in IdentityServer4 we're looking into having separate user stores per tenant. When trying to figure out how to go about doing this, I've looked at the implementation of https://github.com/IdentityServer/IdentityServer4.AspNetIdentity
It appears to be registering an implementation of IResourceOwnerPasswordValidator, which only is called when using the 'Resource owner password' grant type.
Which interfaces should be implemented and registered to support custom/multiple user stores in the other (e.g. implicit) grant types?
--
Thor A. Johansen
Interactive login logic goes into the "account controller". You can use the acr_values parameter (or some custom parameter) to indicate the tenant ID from the client and then retrieve that in the controller via the IIdentityServerInteractionService.GetAuthorizationContext method.
In my application I need to register users. The users can be any of three: admin, client and general. They have different attributes (Admin may have only name, client may have company address and so on). The default MVC membership scheme is okay but how can it be extended to register more information during registration time? Or should I use custom membership?
I need to have a record of clients and general users with clientID or generalID.
The default MVC membership scheme is okay but how can it be extended
to register more information during registration time? Or should I use
custom membership?
I think too many people, yourself included, are expecting to get too much from the default ASP.NET Membership Provider. It was never designed to handle application-specific things, like what company your customer works for, your admin's name, and so on. It's main purpose is storing passwords for authentication.
Sure, the password needs to be linked to a username, so that there can be a 2-key authentication pair. Sometimes you also need the user's email address, when it is different from their username, in order to contact the user regarding their password. But don't store anything else about your users in the membership store. Store it in your application database.
In order to join data between your application and the membership provider, use the membership provider's UserName or ProviderKey as a column in one of your database tables. You end up with 2 entities which are not explicitly related. You can even have your SqlMembershipProvider implemented in a separate database from your application database. Even if they are in the same database, avoid having a foreign key between any of the provider tables and your application tables. This muddies the waters between what you own, and what you "outsource" to the membership provider.
You end up with 2 physically isolated representations of your user. One is the MembershipProvider, which contains a password for your user. The other is your application, which contains other business-specific details. The two are only logically associated within your application. After you authenticate a user with the membership API, their UserName and/pr ProviderKey become available to your application. You can then use that piece of data to query your app database and get the additional details. This is where you might put something like the clientID or generalID you mentioned.
If you look at the System.Web.Security.Member* API, this should make things clearer. It does one thing really well -- associating your users with passwords and other information related to password resetting (like the email address, question and answer, etc). So outsource just the password provider, and rely on your application to do the important stuff.
You could customise the default profile provider or create your own... Follow this reference
http://msdn.microsoft.com/en-us/library/8zs47k7y
You can add new properties to the profile for anything in the web.config too
I highly suggest creating your own membership roles. It's dead simple and nothing can beat the flexibility of having your own implementation.
Here's a video I made a while back showing you step by step how to achieve this:
http://www.youtube.com/watch?v=BsxUsyMSGeA
The gist of it is, you create your own AuthorizeAttribute and create your own roles; protecting each controller or even individual Action methods along the way.
The one drawback of this approach is that you can determine what Role a user has in your system, but not what a Role can do in your system. Does that make sense?
There are other choices if you need to edit what a role can do at runtime.