Multitenant JWT Validation

George Waters 21

Hi,

I'm working on a multi-tenant net core 7 webapi, where each customer has its own database and I want each customer to have its own key to generate the jwt token, instead of having one for all.

I thought of having these keys in a database, but this means that, each request will have to check database and retrieve the key to validate jwt, this doesn't sounds good to me.

What would be the right way to achieve this?

Thanks in advance.

Zhi Lv - MSFT 32,011 Reputation points Microsoft Vendor

2023-01-10T07:46:19.343+00:00

Hi @George Waters ,

> I thought of having these keys in a database, but this means that, each request will have to check database and retrieve the key to validate jwt,

It is ok to store keys into a database. If you don't want to use database, you can also try to use Azure Key Vault.

> I'm working on a multi-tenant net core 7 webapi, where each customer has its own database and I want each customer to have its own key to generate the jwt token, instead of having one for all.

In your scene, I will create an end point that is going to generate the token in exchange for valid credentials. In this end point, it required the User Credentials (to determine the tenant) as the parameter, then we can according to the User Credentials to find the secret key from database or Azure Key Vault, then generate the token. After that user can access the protected resource with the token.
George Waters 21 Reputation points

2023-01-10T17:05:57.94+00:00

Thank you for taking the time to advise, ZhiLv.

1 answer

Bruce (SqlWork.com) 55,686 Reputation points

2023-01-10T19:04:39.913+00:00

typically you would cache the keys.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment