Keycloak + Multi-tenancy + Spring Security configuration

joshdcollins · May 7, 2020, 11:29am

Hi all,

I’m attempting to use Keycloak to support multi-tenancy within a SpringBoot 2 application using Spring Security.

I’m using

org.keycloak
keycloak-spring-boot-starter
9.0.0

org.springframework.boot
spring-boot-starter-security
2.2.5.RELEASE

To enable multitenancy I have a MultitenantConfigResolver class which extends KeycloakSpringBootConfigResolver. MultitenantConfigResolver is loaded via my SecurityConfig which extends KeycloakWebSEcurityConfigurerAdapter.

This config resolver largely works as I expect. The target tenant is inferred from the issuer of the provided JWT on the Request. Then an AdapterConfig is built and passed into the KeycloakDeploymentBuilder.build(adapterConfig);

A key point I’m unsure is correct – when an unauthenticated request is made (no Authorization header), the resolve method of the MultitenantConfigResolver returns null.

I have certain endpoints which I want to be publicly accessible. Those are all prefixed by /public.

In SecurityConfig this is my HttpSecurity configuration:

@Override
protected void configure(HttpSecurity http) throws Exception
{
    super.configure(http);
    http
            .csrf().disable()
            .authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .anyRequest().authenticated();
}

I’m finding that even when calling an endpoint starting with /public/ my MultitenantConfigResolver is still being called, and the endpoint is not called.

Of a lower priority, in this case instead of returning a 401, I get an empty 200, I’m not sure where to coerce the appropriate status code.

Complete code for both MultitenantConfigResolver and HttpSecurity are here: Full Keycloak Multitenant Configuration · GitHub

joshdcollins · May 7, 2020, 12:12pm

Not sure if this is an appropriate fix, but I toyed with returning an empty KeycloakDeployment when no token was provided.

        if (authHeader == null) {
            logger.warn("No Auth header provided");
            return new KeycloakDeployment();
        }

This kept the filter chain from short circuiting but was getting a bad response in Postman. After enabling debug logging, it became clear that Keycloak was attempting to redirect to a /sso/login URL. To avoid this, I set bearerOnly = true on the empty deployment.

        if (authHeader == null) {
            logger.warn("No Auth header provided");
            KeycloakDeployment unConfiguredDeployment = new KeycloakDeployment();
            unConfiguredDeployment.setBearerOnly(true);
            return unConfiguredDeployment;
        }

This appears to meet my 3 use cases:

Anything in /public/** should be accessible without a token
Anything not in /public should return a 401 without a token
If I have a token, I should be able to process an authenticated endpoint as expected

Prasad-Coditas · September 2, 2020, 9:04am

could you please share the whole code ? Please

vijayakula259 · May 10, 2022, 3:36am

@joshdcollins have you implemented authorization with : Keycloak + Multi-tenancy + Spring Security configuration?

could you please share any reference? I am having issues with keycloak managed authorization.

Topic		Replies	Views
Spring Security: Multi Tenant support Securing applications	0	501	March 31, 2021
Multi-tenancy on Java EE aplication not working Securing applications adapter-java , multi-tenancy	1	695	January 24, 2023
SpringBoot/SpringSecurity: Access SecurityContext from custom KeycloakConfigResolver Securing applications adapter-java	0	991	September 22, 2020
Failed to authorize in multitenancy keycloak with credentials Getting advice authentication , multi-tenancy	1	450	December 13, 2022
Wildfly multitentant public access Securing applications	0	384	January 3, 2020

Keycloak + Multi-tenancy + Spring Security configuration

Related topics