[FR] multitenancy: allow to map external tenant id to internal tenant id #2310
Description
(Followup ticket to #1598)
The tenantid in the OIDC claims of a user might be pointing to a externally maintained id. In order to lookup that user when resolving the user by OIDC claims in the accountResolver middleware (proxy) the middleware needs be able to map that external ID to the internal tenant ID as generated by the Provisioning API.
Suggested Implemenation
- Introduce new "Tenant" Object on the CS3 level and a simple API for lookups:
- GetTenantById()
- GetTenantByExternalId()
- Enhance oidc middleware to extract the (external) tenantid from the claims (see
getClaimsinoidc_auth.go) - Enhance accountResolver middle to use above APIs to lookup internal tenantid and use that internal id for the user lookup.
Acceptance Criteria
- users with an externally assigned tenantid claim are able to login and mapped to the correct "internal" tenantid
- The mapping can be turned off and users with the internal tenantid are mapped to the correct tenant
- users without a tenantid are unable login