FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Unable to Obtain Tenant-Signed Access Token for Data-Plane Apps in a Multi-Client, Multi-Application FusionAuth Architecture

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    4
    6
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ezequiel.rebasa
      last edited by

      Our architecture breaks a bit with how FusionAuth approaches multitenancy.
      Because Fusion is designed (or at least that's how I see it) to be a multi-application tenant, allowing for switching between applications within the same tenant.
      We are implementing OIDC and have one tenant with one application that will be our identity provider and sole means of authentication. A user can belong to N tenants with N applications, but their login is through that Simfinix tenant (IDP).
      Once logged in, it allows me to switch between different tenants. But the complexity is in token management, since Fusion can return the token signed by Simfinix, and with a Lambda, I can add any claims I want. However, when selecting a contextualized tenant, it doesn't allow me to create a token signed by that tenant to ensure no one can modify the tenant I'm currently working with.
      Is this clear?
      Could you help us find a solution?
      We are considering manually managing the tokens, but we are not sure if we are leaving any security holes. We would also prefer FusionAuth to handle this, also because of the possibility of refresh tokens.

      1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli
        last edited by

        This seems like a bit of a complex use case. To start off, let's clarify, FusionAuth allows the creation of multiple Tenants within the AdminUI. However, the user created under each tenant has a unique id. So user1@example.com under the Tenant One tenant is different than the user1@example.com under the Tenant Two tenant.

        That being said, I don't don't think that is the issue. The way I understand this is the Simfinix tenant is in FusionAuth and that is going to be the IdP for all applications. In that case, you will have to set up the Simfinix tenant as an Identity Provider in FusionAuth (Here is a link to a post that shows how this can be done). Then each of your applications in the other tenants will have to use that IdP. Be sure to check out the linking strategies to get the behavior you want. Then you can run the lambdas you need for the applications.

        If anyone has other ideas, please feel free to chime in.

        E 1 Reply Last reply Reply Quote 0
        • E
          ezequiel.rebasa @mark.robustelli
          last edited by

          @mark-robustelli
          Thank you Mark for responding and I would like to take this opportunity to provide more clarity on what we have implemented and what we want to achieve.

          Use Case: Hybrid SSO Across Physically Isolated Tenants
          We maintain N physically isolated FusionAuth tenants (each with its own database) and within each tenant multiple Applications. Instead of provisioning the same email in every tenant, we have a single “Control-Plane” tenant called Simfinix, where each user logs in exactly once.

          Our backend enriches each FusionAuth user record with a custom field, user.data.tenants, listing which physical tenants and which Applications in those tenants they’re allowed to access. When a user switches context, the backend is supposed to silently obtain a new access token signed by that specific tenant’s FusionAuth instance and scoped to the chosen Application—no re-login required.

          However, at present we are unable to achieve this. When we call /api/jwt/issue on the target tenant, FusionAuth looks for the Application Portal-Simfinix (which only exists in the Simfinix tenant) and returns “application not found,” so we never receive a token signed by the intended tenant-context.

          Topology Example:

          yaml
          Copy
          Edit
          Tenants
          ├── Simfinix (OIDC IdP)
          │ └── Apps: Portal-Simfinix (identity provider)
          ├── TenantA
          │ └── Apps: AppA, AppB, AppC
          └── TenantB
          └── Apps: AppA, AppB, AppC

          User: xxx@gmail.com
          ├── authenticatedTenant: Simfinix
          └── user.data.tenants (custom FusionAuth field):
          [
          {
          tenantId: TenantA_ID,
          applications: [AppA_ID, AppC_ID]
          },
          {
          tenantId: TenantB_ID,
          applications: [AppB_ID]
          }
          ]
          Key Points:

          Single login in Simfinix → backend stores one refresh_token_simfinix.

          Silent-login flow per tenant: backend uses that token to perform an OIDC authorize request with prompt=none in the target tenant and exchanges the code for refresh_token and access_token issued by that tenant.

          A call to /api/jwt/issue or a refresh_token grant against the chosen tenant should issue a JWT signed by that tenant and scoped to the selected Application.

          Current blocker: FusionAuth is searching for “Portal-Simfinix” in the target tenant’s Applications (because that’s the client_id we’re passing) and fails with “application not found,” so we never get the tenant-signed JWT.

          Once resolved, users will experience “log in once → switch anywhere,” with each tenant remaining fully isolated and all tokens correctly signed by the appropriate tenant.

          Note: the property user.data.tenants lives on the FusionAuth User object (under its data map) and is fully custom—FusionAuth doesn’t provide it out-of-the-box, but we extend the User entity to include it.

          mark.robustelliM 1 Reply Last reply Reply Quote 0
          • mark.robustelliM
            mark.robustelli @ezequiel.rebasa
            last edited by

            @ezequiel-rebasa said in Unable to Obtain Tenant-Signed Access Token for Data-Plane Apps in a Multi-Client, Multi-Application FusionAuth Architecture:

            prompt=none

            OK a few things. One is it looks like there are a few open issues #521 and #2208 around FusionAuth not supporting the "prompt=none" parameter.

            I may be missing something here, but using lambdas, I as able to hit the login event for both Tenants when logging in. I image you could make the changes you needed there.

            I set up FusionAuth so that I have 2 Tenants Default and Test Tenant.

            In Default there is the FA Login Master application.

            I the Test Tenant I have the ExampleDotNetApp application.

            I set up an Identify Provider named FusionAuth Default Tenant FA Login Master using the FA Login Master application as the (IdP) and enabled it on the Test Tenant ExampleDotNetApp. I created a lambda named "FA Default OpenID Reconcile" of type OpenId Connect reconcile.

            The order the Lamda's were executed were as follows:

            • "FA Default Access Token Populate" of type JWT populate on FA Login Master

            • "FA Default OpenID Reconcile" on FusionAuth Default Tenant FA Login Master

            • "ExampleDotNetApp Access Token Populate" of type JWT populate on ExampleDotNetApp.

            You could use potentially use any of those to inject info you need on the JWT.
            **Please not that Lambda HTTP Connect is only available in an Essentials or Enterprise plan.

            When I add a favoriteColor in the "ExampleDotNetApp Access Token Populate" lambda, I am able to see it in the ExampleDotNetApp application after logging in.

            I would think with the access to those lambdas, you may be able to accomplish what you are trying to do.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post