Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multi-SSO access #51

Open
jezzsantos opened this issue Oct 6, 2024 · 0 comments
Open

Support multi-SSO access #51

jezzsantos opened this issue Oct 6, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@jezzsantos
Copy link
Owner

Currently, we support authentication with:

  1. credentials
  2. sso providers (any)
  3. APIKey
  4. HMAC (for internal APIs)

In the SSO scenario, we store a set of tokens, (access_token and optionally refresh_tokens, and id_token) against the original provider, and the user.

The primary use case here is for auto-registration of the user (identified by email).
The secondary use case here is to (later) access those original systems using those tokens.
Those tokens can be fetched, and refreshed, and used (by that user only).

Further, users are uniquely defined (in the EndUser subdomain) by their username, which is their email address that they were registered with. which is owned by the UserProfie subdomain. No two EndUser can be registered with the same email address.

However, what we don't support yet, is the ability to store multiple sets of tokens (access_token) against multiple providers for the same user (each with possibly a different email address).

So, if we want to access another system for this EndUser we are unable to do so presently.

Conceptually, what we need to do, is have that user authenticate against that other provider (without auto-registrating them), and to store those auth tokens against the users account.
The email they use to do that SSO authentication flow needs to be stored with their auth tokens, but it should not considered when detecting uniqueness when registering new EndUser.

In other words, it is possible for a user to SSO auto-register an EndUser against Microsoft with the email address [email protected] and to access to all Microsoft systems. Then later, for this specific EndUser to SSO authenticate against Google, with an email address [email protected] and that OG EndUser to have access to both systems with both sets of tokens.

Then it should be possible to explicitly register a new user on the platform using SSO to Google using the same email address [email protected] and have access to all Google systems as a different EndUser. This is possible.

What
@jezzsantos jezzsantos added the enhancement New feature or request label Oct 6, 2024
@jezzsantos jezzsantos changed the title Support 2FA authentication Support multi-SSO authentication Oct 6, 2024
@jezzsantos jezzsantos changed the title Support multi-SSO authentication Support multi-SSO access Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jezzsantos