how does multi tenancy work in cloud? #160

aep · 2022-09-21T08:43:26Z

aep
Sep 21, 2022

When a user is signing up via github, an identity is created that binds that github id.
Adding a tenant_id field to the identity schema only helps half way.
Because the next time the user wants to log in as a different tenant, the github id already has an identity in the first tenant.

Presumably in a self hosted environment this would be solved by using distinct oauth client ids per tenant, but i couldn't find those in cloud.

Answered by kmherrmann

Sep 21, 2022

If you want a full separation between identity "spaces" by tenant, you may be better off creating a project per tenant (which is possible via API & CLI). You'll have to manage the tenant configurations and provisioning, but you get full flexibility.

Alternatively, you could allow for multiple tenant_ids in your schema if you want to have centralized accounts and want to activate them for each tenant. Then you'll want to tweak the flows to add tenants to an existing account on registration and to e.g. reject login when the user isn't mapped to the tenant in question - depending on your desired behavior.

View full answer

kmherrmann · 2022-09-21T09:49:16Z

kmherrmann
Sep 21, 2022

If you want a full separation between identity "spaces" by tenant, you may be better off creating a project per tenant (which is possible via API & CLI). You'll have to manage the tenant configurations and provisioning, but you get full flexibility.

Alternatively, you could allow for multiple tenant_ids in your schema if you want to have centralized accounts and want to activate them for each tenant. Then you'll want to tweak the flows to add tenants to an existing account on registration and to e.g. reject login when the user isn't mapped to the tenant in question - depending on your desired behavior.

4 replies

aep Sep 26, 2022
Author

thanks, we decided to put tenants into the schema. but this is a bit scary because its not clear which part of an identity is editable by users. could you point me at how a schema would look like that adds this safely?

vinckr Sep 26, 2022
Maintainer

Hello @aep
have a look at identity metadata: https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata.

If you use Admin metadata, they can only be read and modified by calling the admin API. Public metadata can be read by the end user but not modified.
Traits can be modified and read by the end user.
I will see if I can find an example for metadata for you.

aep Sep 26, 2022
Author

metadata seems to work out of the box (since its schemaless) thanks. but is it safe to use for this purpose? i'm worried about discovering later that it could get manipulated

aeneasr Oct 5, 2022
Maintainer

You can use it for that purpose! Metadata can only be changed by admins: https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata#metadata

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

how does multi tenancy work in cloud? #160

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 4 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

how does multi tenancy work in cloud? #160

aep Sep 21, 2022

Replies: 1 comment · 4 replies

kmherrmann Sep 21, 2022

aep Sep 26, 2022 Author

vinckr Sep 26, 2022 Maintainer

aep Sep 26, 2022 Author

aeneasr Oct 5, 2022 Maintainer

aep
Sep 21, 2022

Replies: 1 comment 4 replies

kmherrmann
Sep 21, 2022

aep Sep 26, 2022
Author

vinckr Sep 26, 2022
Maintainer

aep Sep 26, 2022
Author

aeneasr Oct 5, 2022
Maintainer