Routing Requests to the Correct Tenant

Status: accepted
Deciders: Yurii Shynbuiev,David Poltorak, Benjamin Voiturier, Shailesh Patil
Date: [2023-05-09]
Tags: multi-tenant, routing, message

Context and Problem Statement

The Cloud Agent in multi-tenancy is still a single agent running, however, some of the resources are now shared between the tenants of the agent. Each tenant has their own keys, with their own DIDs, connections. Transports and most of the settings are still shared between agents. All the API endpoints are same from outside

Multi-tenancy, message routing can be used to ensure that messages are delivered only to the intended recipient or tenants, and not to unauthorized tenants.

Backend services: Cloud Agent use PostgreSQL. Authentication and authorization

sequenceDiagram
autonumber
actor H as Holder(DidComm)
actor T as Tenant(Issuer)
participant A as CloudAgent
participant W as Wallet
participant DB as Database[did <- tenantId]
T->>A: Register Tenant
activate A
A->>W: Create wallet
activate W
note over W: Each Tenant has his own wallet where keys and dids are stored
W-->>A: tenantId
deactivate W
note over T, A: Subsequent requests include JWT header
activate DB
note over DB: did -> tenantId or did -> walletId
T->>A: Create PeerDID[JWT Header]
A->>A: authorised token extract tenantID
alt JWT validation
A-->>T: 200 OK & JWT
else No user
A-->>T: 401 Unauthorized
end
T-->>A: If authorised Create PeerDID
A-->>DB: Update [DID(PeerDID) -> tenantID]
A->>H: send DIDCOMM message to holder did
deactivate DB
deactivate A
activate H
H->>A: DIDCOMMV2 message to Agent(did)
A-->>DB:lookup to Agent DID identify tenantId
A-->>A:decrypt message
deactivate H

Context and Problem Statement​

Context and Problem Statement