I am using JWT based authentication in my .net core 2.1 web site. Currently this works fine. Now, I have to make one API multi-tenant and each tenant will have it's own secret key. The tenant Id will be passed as parameter to the API.
[Authorize]
[HttpGet("tenant/{id}")]
public async Task<IActionResult> GetInfo(string id)
{
}
Each tenant will sign the JWT and will add to Authorization header. I am not able to think of a way to change IssuerSigningKey based on the parameter. I tried following:
Validating the JWT inside the API by making it [
AllowAonymus]. This works but I have end up writing all the JWT validating code.Implementing
ISecurityTokenValidator
I can implement ISecurityTokenValidator to validate the token and using this in startup configuration something like this:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.SecurityTokenValidators.Clear();
options.SecurityTokenValidators.Add(new JWTSecurityTokenValidator());
});
And implemented my own class to validate the token.
public class JWTSecurityTokenValidator : ISecurityTokenValidator
{
public ClaimsPrincipal ValidateToken(string securityToken, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
{
// Implement the logic
}
}
But again I end up doing heavy lifting. Also, I am not able to access the parameter "tenantId" in the ValidateToken.
3.Using IssuerSigningKeyResolver:
I can implement a delegate:
IEnumerable<SecurityKey> IssuerSigningKeyResolver(string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters)
Again I don't's have access to the "tenantId" parameter to choose the appropriate key.
Is there elegant solution to choosing IssuerSigningKey based on the parameter so that I don't need to write my own logic to validate JWT? Or only option is to go with first option?
