Per-request configuration of Oauth2 scheme's endpoint, to support multitenancy

[markwinton]

Is your feature request related to a problem? Please describe.

When setting up an Oauth authentication strategy the endpoints a fixed in the nuxt.config.js file, and this works fine when a single Identity Provider (IdP) realm is being targeted. As far as I can tell, these endpoints cannot be calculated on a per-request basis; in a multi-tenancy environment, where each tenant has its own Oauth realm in the IdP it's not currently possible to route the user to the correct endpoint for their tenant.

The list of tenants is not known at build time, so cannot be hard-coded into the nuxt.config.js file as an exhaustive list of strategies.

Describe the solution you'd like to see

Allow the endpoints to be either a String or a function. String support is the current behaviour, so it a non-breaking change. The function would take the current request as an argument, and would return the url to target.

Pseudocode for nuxt.config.js:

auth:
  strategies: {
    generic_oauth_provider: {
      scheme: 'oauth2',
      endpoints: {
        authorization: function(req, auth) {
          const tenant = req.query.tenant
          return `https://idp.address/auth/realms/${tenant}/protocol/openid-connect/auth`
        },
        token: ...
     }
  }
}

Describe alternatives you've considered

Having looked into the source code for the Auth module, the relevant redirects are done via window.location.replace calls, so I can't think of any way to hook into this.

I've considered implementing a custom scheme as a direct copy-paste of the existing Oauth2Scheme, but this would be a high maintenance approach to take.

Another possible approach explored was setting up a template strategy in nuxt.config.js, with placeholders in the endpoint URLs. When using $auth, the strategy was looked up using this.$auth.strategies[tenant], where tenant is a query parameter, and if no existing strategy was found one should be created (as a clone of the template, modifying the endpoints to be correct for the tenant in the new strategy) and registered using $auth.registerStrategy. This approach didn't seem to work in the way I expected (registerStrategy didn't seem to make the new strategy stick, so the strategy was being recreated every time), and the login redirect didn't happen; if it's possible to dynamically wire in strategies at run time this approach then I think could be made to work instead of the proposed enhancement.

Additional context

Example setup would be using Keycloak, with two realms, one and two:

Realm one:

• authorization: http://localhost:8080/auth/realms/one/protocol/openid-connect/auth
• token: http://localhost:8080/auth/realms/one/protocol/openid-connect/token
• logout: http://localhost:8080/auth/realms/one/protocol/openid-connect/logout
• userInfo: http://localhost:8080/auth/realms/one/protocol/openid-connect/userinfo

Realm two:

• authorization: http://localhost:8080/auth/realms/two/protocol/openid-connect/auth
• token: http://localhost:8080/auth/realms/two/protocol/openid-connect/token
• logout: http://localhost:8080/auth/realms/two/protocol/openid-connect/logout
• userInfo: http://localhost:8080/auth/realms/two/protocol/openid-connect/userinfo

This enhancement would allow Auth to be configured to seamlessly route users for tenant one to the endpoints for Realm One, and users for tenant two to the endpoints for Tenant Two.

[JoaoPedroAS51]

Hi @mark-winton! This would be a great improvement! :)

For now you can setup a plugin which changes the authorization endpoint dynamically. Take a look at #1153 for some examples.

[markwinton]

Thanks @JoaoPedroAS51; it's likely a limitation with my understanding of the auth module (and Nuxt in general), but I don't think the solution in #1153 will work for my setup. My login page is being served by Keycloak itself, i.e. the user's browser is redirected to Keycloak's login page for the tenant, it's not a Nuxt served page where Axios is then used to submit the credentials to Keycloak.

Switching to a Nuxt served page isn't viable, as Keycloak's own page supports multifactor authentication and other login flows which would be tricky (or potentially impossible) to recreate in Nuxt with the available Keycloak APIs.

Edit: Ignore the above, I'd put my plugin in the wrong location in the nuxt.config.js file so it wasn't being picked up. Still hitting something as part of the Oauth login callback approach that's not reformatting the URL, but it's progress...

[bmulholland]

See also #1536 and #713