In Multitenant Oidc, Is there a way to have a Login url instead of redirect to the default provider tenant ?

[IsmailMarmoush]

Hi,

I have multi tenant Oidc provider let's say google (default), github (tenant), facebook(tenant)
when I'm accessing protected paths, it goes directly to default authenticator e.g google,

But what I need, is to have some redirection to a login page before moving to the identity provider (e.g multiple buttons per provider).

Couple of notes:

I understand the login page redirection in general might not be related to oidc specifically, it's just the use case I have atm.
I'm using OidcFeature in routing and I couldn't figure a way to configure it for such interception,
I'm aware of oidc multitenancy and I'm using a header for that as follows, but in this case it's the request made directly to a protected page, so it won't have headers.

        multi-tenant: true
        tenant-id-style: token-handler
        tenant-id-handler:
          header: "tenant-id"

Is there a way to do redirection to specific page instead of identity-uri through configuration or programmatically and what is the best practice in such case ?

Thanks in advance

[klustria]

David is the expert in this area, but he is currently on vacation so I'll tag him here and he can probably respond when he comes back sometime next week. cc @Verdent

[IsmailMarmoush]

Hi @Verdent, just friendly reminder regarding this question
thanks in advance

[Verdent]

Hi, I am sorry for a late response. Currently we always redirect to identity-uri and I think there is no way how to redirect to a login page instead of the identity uri. At least none that I can think of.

So what you would like to do is following:

1. user tries to access some protected endpoint
2. they are not authenticated and get redirected to "login" page you specify and make
3. user selects desired way how to authenticate
4. gets redirected to identity uri

Do I get it right?

[IsmailMarmoush]

Hi @Verdent thanks for your reply,

Yes exactly, and the thing is that Helidon redirects to the default identity-uri, I mean isn't that a case that should be covered for such oidc multi-tenancy feature instead of being forced to go the default ?

p.s the suggestion on top of my head was to have some error/login page config option so we redirect to it (at least when multi-tenancy is active), but there could be better option that's also dynamic.

Currently here's the hack I'm doing and I'd love to hear your thoughts:

@Override
  public void filter(FilterChain chain, RoutingRequest req, RoutingResponse resp) {
    if (loginRequired(req) && !hasTenantId(req)) {
      resp.status(Status.TEMPORARY_REDIRECT_307).headers().add(LOCATION, "/login");
      resp.send();
    } else {
      chain.proceed();
    }
  }

private boolean loginRequired(RoutingRequest req) {
    return securePaths.stream().anyMatch(p -> p.match(req.prologue().uriPath()).accepted());
  }
  
private boolean hasTenantId(RoutingRequest req) {
    var tenantIdCookieOpt = req.headers().cookies().first(tenantIdCookieName).asOptional();
    var tenantIdParamOpt = req.prologue().query().first(tenantIdParamName).asOptional();
    var tenantIdHeaderOpt = req.headers().first(HeaderNames.create(tenantIdHeaderName));
    return tenantIdCookieOpt.or(() -> tenantIdParamOpt).or(() -> tenantIdHeaderOpt).isPresent();
  }  

security:
  #  default-authentication-provider: oidc
  #  default-authorization-provider: abac
  provider-policy:
    type: COMPOSITE
    authentication:
      - name: "oidc-provider"
    authorization:
      - name: "abac"
      - name: "authorizer"
  providers:
    - name: oidc-provider
      type: oidc
      enabled: true
      oidc:
        multi-tenant: true
        tenant-id-style: token-handler
        tenant-id-handler:
          header: "oidc-tenant"
        # Default OIDC
        redirect: true
        force-https-redirects: true
        frontend-uri: "https://${server.host}:${server.port}"
        identity-uri: "${common.security.oidc.tenants.1.identity-uri}"
        client-id: "${common.security.oidc.tenants.1.client-id}"
        client-secret: "${common.security.oidc.tenants.1.client-secret}"
        check-audience: false
        query-param-use: false
        cookie-use: true
        header-use: true
        cookie-encryption-tenant-enabled: false # for dev
        oidc-metadata-well-known: true
        oidc-metadata:
          resource:
            uri: "${common.security.oidc.tenants.1.identity-uri}/realms/nota/.well-known/openid-configuration"
     

        tenants:
          - name: "keycloak" # must be a string no interpolation here
            identity-uri: "${common.security.oidc.tenants.0.identity-uri}"
            client-id: "${common.security.oidc.tenants.0.client-id}"
            client-secret: "${common.security.oidc.tenants.0.client-secret}"
            check-audience: false
            cookie-use: true
            header-use: true
            oidc-metadata-well-known: true
            oidc-metadata:
              resource:
                uri: "${common.security.oidc.tenants.0.identity-uri}/realms/nota/.well-known/openid-configuration"