Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Multi tenancy not supported?

See original GitHub issue

Describe the bug When adding the bank id provider multiple times following exception is thrown:

InvalidOperationException: The HttpClient factory already has a registered client with the type 'ActiveLogin.Authentication.BankId.Api.IBankIdApiClient'. Client types must be unique. Consider using inheritance to create multiple unique types with the same API surface.

What area is it related to BankID

To Reproduce Steps to reproduce the behavior: Create a new empty NET Core application, install the ActiveLogin-package and call AddBankId twice.

Expected behavior When calling AddBankId a isolated authentication provider is created for given schema. So we can add multiple customers with different certificates.


NuGet package version ActiveLogin.Authentication.BankId.AspNetCore 2.0.1 (same behavior i 3.0.0)

Runtime version NET Core 3.0 (same behavior i 3.1)

Desktop (please complete the following information):

  • Windows
  • Chrome

Additional context Is multi tenancy something you had in mind when creating this package or was it never meant to support multiple customers with different certificates in the same application?

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

antonkallenbergcommented, May 8, 2020

Hi Peter!

Thank you for your quick reply!

That’s great! We will solve our multi tenancy feature using the UseClientCertificateResolver-extension and some kind of cookie to determinate where the end user is coming from.

But first we need to update to latest version (Active Login, Identity Server, NET Core) to get the extension but that wont be that big of a deal 😃

Thank you for bringing us Active Login!


PeterOrneholmcommented, May 11, 2020

Would very much appreciate an example on how to correctly set this up, any code would do 😃 I can’t get the UseClientCertificateResolver-callback to execute per customer, the callback is only called once and therefore same certificate is used for all customers.

Ohh, you’ve found a bug! Thanks for reporting this. The project we are implementing multi tenancy for isn’t live yet, and we simply haven’t found this in our testing yet. It’s really sad we don’t have any unit test for this specific part, but the problem is that the callback is only triggered when making a real call to their API, so no easy way to fix that at the moment.

The problem is (what I can find out) is that ASP.NET caches the choice of certificate in the HttpMessageHandler pool. It seems to be cached by hostname, because usually you want to select cert based on hostname. But in our case we have multiple certificates for the same hostname.

Anyway, I’ll make a hotfix to fix this issue, but until that is out, could you confirm that the below code would work? UseClientCertificateResolver is only an extension method to make it easier to configure, so you can try out the code below yourself before we make the hotfix. The fix is to disable caching if you enable UseClientCertificateResolver.

        public static IBankIdBuilder UseClientCertificateResolver(this IBankIdBuilder builder, Func<ServiceProvider, X509CertificateCollection, string, X509Certificate> configureClientCertificateResolver)
            builder.ConfigureHttpClientHandler(httpClientHandler =>
                var services = builder.AuthenticationBuilder.Services;
                var serviceProvider = services.BuildServiceProvider();

                httpClientHandler.PooledConnectionLifetime = TimeSpan.Zero;
                httpClientHandler.SslOptions.LocalCertificateSelectionCallback =
                    (sender, host, certificates, certificate, issuers) => configureClientCertificateResolver(serviceProvider, certificates, host);

            return builder;

It’s not optimal, but the best/inly solution with current architecture. I’ve had a brief discussion with a colleague and for version 5 or similar we’d like to rearchitechture the solution to allow for a IBankIdClientFactory that you can override and provide different clients for different tenants.

If you confirm that the above works, I’ll try to find time this week to release the hotfix.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Since multi-tenancy is not supported for the LDAP plugin
No, it doesn't work because tenants are a part of the identity service. If a user or group should be allowed to see...
Read more >
Multi-tenancy - MoodleDocs
Multi -tenancy is the ability to enable the configuration for multiple tenants with different themes and permissions, keeping them separated so ...
Read more >
Multitenancy support for reactive web apps
Wanted to know if reactive web apps doesn't support multi-tenancy on its own. I understand that Site.TenantId is available only on server ......
Read more >
Multi-tenancy - EF Core
These applications are classified as "multi-tenant" because each customer is considered a tenant of the application with their own set of data.
Read more >
Setting up multi-tenancy
Enabling multi-tenancy will restrict what repository features can be used, as described in Features not supported in a multi-tenant environment.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found