Integrate Web API Services with multiple authentication services

Question

In a multi-tenant deployment of Web application, How can the Asp.Net Core Web API services be designed to work with different authorization services? The Web applications use OAuth and JWT Bearer authentication and pass access token to the Web API services.

One approach that I could think of is to, get the Authority from the Request to understand the identity source and redirect to the respective authorization service.

==>

To elaborate further, When the Web Applications are deployed the Authorization service details (Audience, Authority and others) are shared with the API service as shown in the diagram below. This should not be a problem since we deploy the Web application and integrate it with the client's identity management system.

In the requests to API service, the Web app must include app_id along with the access_token in the request headers. This will directs the API service to validate the token with the corresponding authority.

In order to make this work, we have to implement the complete JWT bearer validation middleware. Is this a proper approach and achievable? are there any other solutions used in these situations?

Answer 1

Technically, your approach would work. The token will have the authority embedded in it (the 'issuer' claim), you can use that to retrieve the public key, then you can validate the JWT.

Answer 2

Check out http://identityserver.io/ It's a middleware to handle all the auth for you