I am working through Matt's excellent article on implementing the OAuth Authorization Code Grant in a React app. https://fusionauth.io/blog/2020/03/10/securely-implement-oauth-in-react
We have a multi-tenant implementation and would like to know what the recommended approach is for determining which tenant a user is authenticating as. For example, if we have two different users in different tenants, both registered for the same application and both have the same username, is it possible to ask the user which tenant they belong to?
I think I can pass along the tenantId in the authorize query string, but this would require me to have already asked the "where are you from" question. Do I need to implement this, or can FusionAuth provide this out of the box?
I have read the documentation around login themes, but this seems to be more about displaying the tenant, rather than requesting it? https://fusionauth.io/docs/v1/tech/themes/
Great product.. thanks in advance.
So you say this:
if we have two different users in different tenants, both registered for the same application
FusionAuth applications are tied to a tenant, so it isn't possible to have a FusionAuth application shared between tenants. From https://fusionauth.io/docs/v1/tech/apis/authentication#making-an-api-request-using-a-tenant-id
Some resources in FusionAuth are scoped to Tenants such as Users, Groups and Applications. When more than one tenant exists these APIs will require a tenant Id to ensure the request is not ambiguous.
Now, of course it is possible to have your application be shared among customers, where each customer is a FusionAuth tenant. So the question you ask is a good one. I'd rephrase it as "how can an web application or other client of FusionAuth know which tenant it is associated with?" If that's not the question you're asking, please let me know.
If you have a webapp (say a todo app) that you deploy for multiple customers, and each customer is a tenant in FusionAuth, the todo app could know based on the domain name (foo.todo.com or bar.todo.com) or path (todo.com/foo or todo.com/bar) it is deployed to which FusionAuth tenant id (foo's or bar's) to pass along to FusionAuth. Here's a relevant forum post: https://fusionauth.io/community/forum/topic/19/can-different-tenants-have-their-own-custom-domains-self-hosted-community-edition
If there's no differentiation at the URL level, you could store the tenant id on a group or user table in the database.
It's also worth noting that in the default settings for FusionAuth, the client id is the application id. An application id ties a login session to a particular tenant, since every FusionAuth application belongs to only one FusionAuth tenant (though a tenant can have multiple FusionAuth applications).