Okta as external access provider with Faunadb

Hello,
we want to use Okta as external access provider with Faunadb.

Faunadb is sharing this article as reference how to implement that (example with Auth0 Setting up SSO authentication in Fauna with Auth0).

Our problem: We have multiple fauna children databases (Multi-tenancy | Fauna Documentation) but in every database we have to configure Okta as access provider and the doc is telling we have to add this database as audience to the Okta authorization service. But Okta is only supporting one audience.

So do you have an idea how we could solve that, that we can use one login with one okta authorization service together with multiple fauna databases?

1 Like

Hi @Mike ,

Depending on how you’re using your child databases you do have the option of using scoped keys to grant access to roles on any child databases. But keep in mind, those keys require either admin or server level access to the database; depending on what you’re doing that may be more access than you want to give to people accessing those child databases.

Can you share some more about the app itself? What will the child databases represent? And do they need different access controls for each one?

Cory

Hi @Cory_Fauna,

We have current two cases:

Case 1: We want to use Fauna inside a self-contained service (SCS) architecture, that multiple teams can work independent on their SCS. In the frontend we’re using micro-frontends so that every SCS team has their own micro-frontends and with that they are accessing the database. For that we thought that it may be a good idea to have one database for every service, that we can also give the developer only access to the database where they are responsible for and keeping the domains decoupled.

Case 2: Inside the shared article, we were reading about the databases for development purpose. So it would be great to have also there the identity provider active.

I hope this is giving some more clarity :slight_smile:

Hi @Mike,

Ah, ok. Yeah in that case you may need to create multiple authorization servers within Okta, one for each child database. That would allow you to set up multiple different audiences, since only one audience can apply to one server.

There might be a more elegant way of solving this but I haven’t been able to find one.

Cory