User Management and Multi-Tenancy

Hello!

I was hoping for some help with a question I have for a small project I’m working on. The project is a simple web app written with Vuejs and connects to a back end API using .NET Core 3.1.

Currently, a user logs in to the web app using Okta, and then passes an access token to the API to access the database. The API retrieves role information from the access token and implements access policies to allow/deny access to API end points.

Along with the role information, I had planned to include a tenant id in the Okta app profile that is then included in the access token when a request is made with the appropriate scope. The API then could take the tenant id, determine the correct tenant database to connect to, and fulfill the request.

My question is - what is the best approach to implement user management in this scenario while still being able to support multi-tenancy? Here are some of the approaches I’ve already tried, but found issues with, along with what I’m currently thinking is an ideal solution.

That said, my initial thought was that within Okta I would setup an initial user for the tenant within the Administrator group, and then setup that user as a Group Administrator within Okta. This way the web app could make API calls directly to Okta and setup additional users, with the web app determining what group assignments the user gets based on the users input. However, I’ve now realized that the issue here is there isn’t any way to separate users from each tenant - that approach would give administrators from all tenants access to all users.

My immediate thought after that was possibly just having all requests to add/modify/etc. users be sent to the back end API first, to validate tenant ids and make sure the request is valid and then have my API connect to the Okta API to have the request made. However, I then found out that when a user is a group administrator within an Okta organization, they are able to log in to the Okta website directly and manage users in the groups they are administrators of.

My current plan, is this:

  • Each tenant has a group setup to contain all of their users.
  • The tenant groups are assigned access to the application within Okta so the users can log in.
  • Upon deployment, the first user setup as a group administrator of their tenant group.
  • The tenant group is included in the access token and used in place of a tenant id profile field
  • Additional groups can be managed by the administrators to control access to the application
  • The Web App can then make requests directly to the Okta Users API to add/update users, etc.
  • The back end API middleware that changes the Okta groups into roles can also be augmented to transform the tenant group into a tenant id - and handle appropriately if an invalid tenant id isn’t found.

I’m hoping someone with more experience in Okta authentication/authorization can maybe provide some feedback on this plan or even point me into the right direction. Thanks for your time!