Doesn't work properly for multi tenant applications #16
Comments
|
Any estimate for the fix? |
|
You can use my version: https://github.com/fingineering/fastapi_microsoft_identity It is currently not packaged, but if you add it to your project as a local folder, and import it like any other python module you wrote. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In case you want to have a multi-tenant application, but not a consumer application, the validation of the token fails, if the authenticated user comes from a different tenant than the tenant hosting the application.
The failure happens in the token decoding, due to the issuer parameter in the jose.jwt.decode() in line 193 in auth_service.py
The root cause seems to be the constant tenant id, which is set during initialize()
Solution idea
A valid token from a different tenant is decodable using the jose.jwt.decode() if the issuer is not specified. Hence, a kind of quick fix would be to add a multi-tenant flag and not add the issuer to the decode call if this is a multi-tenant app.
Not sure, whether or not that implies security issues. In the case of a single-tenant app a user from a different tenant shouldn't be able to get a valid token anyways. In the case of a multi-tenant application, the legitimacy (AuthZ) of the user must be checked somewhere else anyhow.
The text was updated successfully, but these errors were encountered: