Multi tenancy not supported?

Hi Peter!

Thank you for your quick reply!

That’s great! We will solve our multi tenancy feature using the UseClientCertificateResolver-extension and some kind of cookie to determinate where the end user is coming from.

But first we need to update to latest version (Active Login, Identity Server, NET Core) to get the extension but that wont be that big of a deal 😃

Thank you for bringing us Active Login!

Regards

Would very much appreciate an example on how to correctly set this up, any code would do 😃 I can’t get the UseClientCertificateResolver-callback to execute per customer, the callback is only called once and therefore same certificate is used for all customers.

Ohh, you’ve found a bug! Thanks for reporting this. The project we are implementing multi tenancy for isn’t live yet, and we simply haven’t found this in our testing yet. It’s really sad we don’t have any unit test for this specific part, but the problem is that the callback is only triggered when making a real call to their API, so no easy way to fix that at the moment.

The problem is (what I can find out) is that ASP.NET caches the choice of certificate in the HttpMessageHandler pool. It seems to be cached by hostname, because usually you want to select cert based on hostname. But in our case we have multiple certificates for the same hostname.

Anyway, I’ll make a hotfix to fix this issue, but until that is out, could you confirm that the below code would work? UseClientCertificateResolver is only an extension method to make it easier to configure, so you can try out the code below yourself before we make the hotfix. The fix is to disable caching if you enable UseClientCertificateResolver.

        public static IBankIdBuilder UseClientCertificateResolver(this IBankIdBuilder builder, Func<ServiceProvider, X509CertificateCollection, string, X509Certificate> configureClientCertificateResolver)
        {
            builder.ConfigureHttpClientHandler(httpClientHandler =>
            {
                var services = builder.AuthenticationBuilder.Services;
                var serviceProvider = services.BuildServiceProvider();

                httpClientHandler.PooledConnectionLifetime = TimeSpan.Zero;
                httpClientHandler.SslOptions.LocalCertificateSelectionCallback =
                    (sender, host, certificates, certificate, issuers) => configureClientCertificateResolver(serviceProvider, certificates, host);
            });

            return builder;
        }

It’s not optimal, but the best/inly solution with current architecture. I’ve had a brief discussion with a colleague and for version 5 or similar we’d like to rearchitechture the solution to allow for a IBankIdClientFactory that you can override and provide different clients for different tenants.

If you confirm that the above works, I’ll try to find time this week to release the hotfix.