Config per Tenant

[josh9060]

Hi all,

We have a different use case concerning authentication. Each Tenant would be set up manually for our product, and thus we would configure them.

Specifically, in regards to authentication, we use ORY Kratos. Each of our Tenants get their own ORY Kratos instance. This is due to the design of Kratos. The problem here is that each Tenant has their own login redirect URL, secret keys, etc.

The question is, how would one go about solving this issue?

I will give you our current outlook.

We plan on storing the configuration in a key store. When a Tenant visits [tenant].app.company.com we would get their Tenant ID from the URL, and fetch the configuration behind the scenes for that Tenant injecting it into each page (the non-sensitive values). We would also fetch this configuration on certain API endpoints (the sensitive values).

Now, I can see some issues with this approach. 1. Caching this sensitive data isn't going to be easy, and will result in a call every time. 2. The configuration would be available at the page level (we're using old routing right now) and thus each hook, etc. Therefore, for example, a RQ hook would need to accept, for example the Tenant ORY Kratos redirect URL as a parameter. This would mean page level configuration would be passed around in a, potentially unmaintainable way. 3. We have API routes that need this sensitive configuration, and therefore, every time an API endpoint is called we would have to request the config again!

There are plenty of issues with the approach I have outlined above.

So, has anyone seen a maintainable approach to this problem? Any solutions for the above issue? Any ideas would be appreciated.

[steven-tey]

Sorry for the late reply here! This is a great question – we've had folks evaluate Platforms with Auth solutions like ORY / Clerk / Auth0 before. Short answer is yes it should work, but you'll probably need to do this in the middleware.

I'm not very familiar with ORY so I'm going to cc some folks from their team for help: @tacurran @aeneasr

Will also move this to a discussion!

[tacurran]

@josh9060 hello. I am trying to understand your example. Does every tenant in your application have a separate, unique url? We have seen numerous example applications that go in the direction so I think we can work out a solution. I have to ask: did you try this on Ory Network/CLI?