I'd like to ask if is possible to use anvil in multi-tenant environment.

For example - We have system for our partners, which they can use to manipulate (create, modify, disable) their endusers, which can also log in to system with different permissions.
We like to use anvil for users authentication, but we need to be able to restrict manipulation on users for partners only for their users.
If everything is in cloud it's easy, but sometimes we must deploy our system to customer - so we need to prevent partner from displaying or manipulating other partners users.

I'm thinking about some proxy before anvil which can add this restrictions, but I'd like to know if there is another solution?

Thank you

@PetrSnobelt this is a fairly complex topic, and there may be several ways to approach it.

Without having more details, it sounds like a good use case for federation, meaning multiple identity providers. Your partners, instead of just creating a client, could set up a peer level issuer (anvil instance?) on site, and on your primary (cloud?) provider create an adapter for logging in with that third party issuer, incorporating whatever restrictions you want in that code.

There's also an area of the OIDC spec we don't currently support (but plan to in future releases) called the pairwise identifier algorithm, which defines a way to have client specific user ids. In some cases this is enough.

I'd be happy to get on a google hangout or skype call for half an hour and talk it through with you.

@christiansmith I'd love to sit in on that call; I might have some related experience to contribute.

It depends on if you need client specific user ids or not. If you don't, I've implemented a system that does multi-tenancy by utilizing roles and scopes to separate tenants.