Best way to handle multiple OpenId Connect issuers

I’m using the Enterprise OpenId Connect plugin to verify access tokens, along with an OIDC provider that supports multiple realms. Each realm is its own issuer, with its own discovery endpoint.

Is there a best practice for allowing authenticated requests from multiple issuers? AFAICT, the plugin only allows one issuer and only one instance of the plugin will run for a request. The only solution I can think of is to have multiple routes each with their own plugin config.

Hi - I’m actually interested in the same thing… we currently have one issuer, and would like to add a second for the same authentication method (OAuth2 bearer token provided in a header). I’m still looking, but so far it still seems this isn’t possible, at least in a fashion that’s transparent to the party making the request.

@alexashley did you end up going the multiple-route… route?

We actually do something similarly internally with a fork of this oidc plugin: , where we enable the conf as an arraylist rather than single instance, and let a specific consumer passed header dictate which identity provider to validate access_tokens with. Since we have things like MS AD OIDC, and 2-3 other LDAP in house auths that are ran by something like ping federate for instance.

Innnteresting - thanks @jeremyjpj0916! I actually use the same plugin; I’ll have a look to see if a similar solution will work for us, thanks for the idea!

1 Like