We need separate authentication(different OIDC issuers) for different Consumer Organizations(audience) #1334
Comments
pritish-nitb
changed the title
pritish-nitb
changed the title
|
@pritish-nitb, 3scale only supports one OpenId Connect issuer endpoint per facade API product. This would be therefore an RFE; one particularly challenging to implement IMO if extended to other components of the API management system such as 3scale/porta and 3scale/zync, which usually handle the synchronisation of the clients in Red Hat SSO. Have you explored using groups instead of realms for modelling multi-tenancy in Red Hat SSO? Here's an example from the community: https://medium.com/swlh/using-keycloak-for-multi-tenancy-with-one-realm-7be81583ed7b. |
|
@guicassolato Would it be possible to write a custom authentication policy that authenticates the token and returns the response in required format? We have a similar requirement where there are two IDPs, one of them is RH SSO and other one is custom. |
We have multi tenancy for the consumer organizations where each organization is part of a different openId realm. So when each consumer calls the API that we publish on 3scale, it only calls with a token from it's own OIDC issuer. However, in apicast configuration it only allows us to add one openID connect issuer so we are not able to validate the tokens of all the consumer organizations. (audiences)
Version
2.7
[provide output of the
nginx -Voropenresty -Vcommand from openshift/local terminal][provide timestamp of the docker image from
docker inspect --format='{{.Created}}' quay.io/3scale/apicast:master]Steps To Reproduce
Current Result
401 error
Expected Result
We are trying to find out if 3Scale can authenticate even if we have consumer organizations in diffrent redhat SSO realms and still expect the calls to work
Additional Information
The text was updated successfully, but these errors were encountered: