Assigned
Status Update
No update yet.
Comments
va...@google.com
ha...@google.com
This is a good idea and definitely worth investigating.
I think there's something to be said about what scope these coroutines would run in, but it should be possible to pass it back from adapter internally.
Description
Please provide as much information as possible. At least, this should include a description of your issue and steps to reproduce the problem. If possible please provide a summary of what steps or workarounds you have already tried, and any docs or articles you found (un)helpful.
Problem you have encountered:
We have a setup of multiple tenancies with users, but also some users setup in the root or default tenant (without a tenant id). We have also disabled user creation and deletion.
For some authentication methods we use custom token authentication
When the user logs in and receives their custom token and then uses the client libraries to sign in, if the tenant id is not explicitly set in the
What you expected to happen:
I would expect one of the following:
Since we have disabled user account creation I would not expect the sign in with custom token call to create a user that did not already exist (the same as OIDC/SAML), if the uid does not exist in the tenant already this should be an error.
Since the custom token already has a tenant_id set I would expect an attempt to sign in to any other tenant (even the root tenant) to fail, or there be an option to set this in the Identity Platform setting. It seems strange that the client has control of this by setting/not setting the tenantId in the accounts:signInWithCustomToken call.
Steps to reproduce:
Create a custom token with a tenant_id claim set.
Call
Other information (workarounds you have tried, documentation consulted, etc):