I’m developing a Netsuite SuiteApp, and I’d like to use Netsuite as an OIDC login provider in a multi-tenant (in Netsuite) situation. Netsuite customers have their own instances with user/role management etc.. When using Netsuite as an OIDC login provider, Netsuite expects you to register a single callback URI with them, but gives you an authorization url, token url, etc… for each of their tenants.
The expected flow is:
- You redirect the user to their tenant specific auth url
- They auth
- Netsuite directs the user to a single url on your platform, regardless of tenant
Out of the box Keycloak assumes that the the relationship (authorization url, token url) ↔ callback uri is one-to-one, as the callback uri is determined by the idp alias. You can’t have multiple OIDC providers share a redirect URI.
I want to confirm that it isn’t possible to do what Netsuite expects with Keycloak out of the box; that I haven’t missed some configuration option.
The options for me that I see are:
- Create an SPI that allows a single IDP to have dynamic auth/token/logout/userinfo urls
- Create an SPI that allows multiple identity providers to share a callback url, with callback de-multiplexing being done based on values passed in the state parameter
- Create an SPI that allows me to set the redirect url that keycloak sends via the redirect_uri parameter, and use a reverse-proxy to do de-multiplexing.
I don’t know much about SPI IDPs, so I don’t know how feasible these options are. I was wondering if there was an obvious path to take in this situation?