Multi-Tenancy Questions

[Scott Fortmann-Roe]

Hi,

I was reading this article about the interesting new multi-tenancy features:

https://medium.com/firebase-developers/multi-tenant-applications-with-firebase-and-google-cloud-4d0d02b7d859

A few questions and clarifications are requested:

1) To confirm, the multi-tenancy is only at the auth layer, is that correct? All Firestore data, Cloud functions, and other Firebase resources will be shared between all the tenants. The multi-tenancy feature is solely about defining heterogeneous bundles of auth methods?

2) What happens if two users authenticate with the same email in two different tenants?

3) Is tenancy information surfaced in Firesetore rules? And does tenancy change the behavior of rules at all?

4) If is possible to restrict emails authenticating with a specific tenant to a specific domain? E.g. if we set up tenant for Acme Corp, only @acme.com addresses could authenticate with it (possibly related to #3)?

5) Is it possible to move users between tenants (possibly related to #2)?

6) Are there any issues expected with converting a single-tenant Firebase auth project to a multi-tenant Identity platform project?

Thanks! Scott

[Hiranya Jayathilaka]

Let me answer a few of these:

On Fri, Jan 24, 2020 at 7:58 AM Scott Fortmann-Roe <sco...@gmail.com> wrote:

Hi,

I was reading this article about the interesting new multi-tenancy features:

https://medium.com/firebase-developers/multi-tenant-applications-with-firebase-and-google-cloud-4d0d02b7d859

A few questions and clarifications are requested:

1) To confirm, the multi-tenancy is only at the auth layer, is that correct? All Firestore data, Cloud functions, and other Firebase resources will be shared between all the tenants. The multi-tenancy feature is solely about defining heterogeneous bundles of auth methods?

Yes. At least for now that's what you get.

 

2) What happens if two users authenticate with the same email in two different tenants?

I'm not sure TBH, but I assume it's not allowed. Email address is sort of a key in Firebase Auth, and multiple accounts with the same email is generally not allowed. However, there is a feature that allows linking user accounts across tenants and a corresponding "Link accounts that use the same email" setting in the cloud console: https://cloud.google.com/identity-platform/docs/multi-tenancy-authentication

 

3) Is tenancy information surfaced in Firesetore rules? And does tenancy change the behavior of rules at all?

You can access the tenantId in your security rules (auth.token.tenantId) to enforce tenant-specific restrictions. There are no other changes in behavior beyond that.

 

4) If is possible to restrict emails authenticating with a specific tenant to a specific domain? E.g. if we set up tenant for Acme Corp, only @acme.com addresses could authenticate with it (possibly related to #3)? 

5) Is it possible to move users between tenants (possibly related to #2)?

Yes. See https://cloud.google.com/identity-platform/docs/migrate-users-between-projects-tenants#migrating_users_between_tenants

 

6) Are there any issues expected with converting a single-tenant Firebase auth project to a multi-tenant Identity platform project?

Thanks! Scott

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAOeyckpWju73stkxhRnVi5pKhz1_mQ6pzo_63Lg0PYPG7LR3Qg%40mail.gmail.com.

--

Hiranya Jayathilaka | Software Engineer | h...@google.com | 650-203-0128

[Scott Fortmann-Roe]

Thanks for the reply Hiranya and your blog post!

I think it is important to get a definitive answer on what happens when an email signs up across multiple tenants and whether a tenant can be restricted to a given email domain.

These are important for the security of the auth system.

Let's say I have two tenants. One for Acme Corp's SAML implementation, and another for their competitor Mega Corp's SAML implementation.

It's important that Acme Corp's SAML is not allowed to authenticate @mega.com emails and Mega Corp's SAML can't authenticate @acme.com emails. 

Since you said the tenant information is available in rules, I guess we can add the email/tenant matching check at the Firestore rules level but that would require an additional check on every endpoint/action which would be cumbersome and potentially error prone.

-Scott

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAE6e%2BPiL2aWDd-ydZhZP2TY2f3PAsKj44WV0vi8V4Wf6JONNbw%40mail.gmail.com.