Merge pull request #32864 from sberyozkin/oidc_default_static_tenant_…

…resolver Provide default OIDC static tenant resolver
quarkusio · May 19, 2023 · a4d0f9c · a4d0f9c
2 parents 1049c96 + 8d4f5ef
commit a4d0f9c
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 37 deletions.
diff --git a/docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc b/docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc
@@ -306,6 +306,8 @@ public class CustomTenantResolver implements TenantResolver {
 }
 ----
 
+In fact, this is how Quarkus OIDC resolves static custom tenants itself if no custom `TenantResolver` is registered.
+
 A similar technique can be used with `TenantConfigResolver` where a `tenant-id` provided in the context can be used to return `OidcTenantConfig` already prepared with the previous request.
 ====
 

diff --git a/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java b/...sions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java
@@ -33,6 +33,8 @@ public class DefaultTenantConfigResolver {
     private static final String CURRENT_STATIC_TENANT_ID_NULL = "static.tenant.id.null";
     private static final String CURRENT_DYNAMIC_TENANT_CONFIG = "dynamic.tenant.config";
 
+    private DefaultStaticTenantResolver defaultStaticTenantResolver = new DefaultStaticTenantResolver();
+
     @Inject
     Instance<TenantResolver> tenantResolver;
 
@@ -133,6 +135,8 @@ private TenantConfigContext getStaticTenantContext(RoutingContext context) {
         if (tenantId == null && context.get(CURRENT_STATIC_TENANT_ID_NULL) == null) {
             if (tenantResolver.isResolvable()) {
                 tenantId = tenantResolver.get().resolve(context);
+            } else if (tenantConfigBean.getStaticTenantsConfig().size() > 0) {
+                tenantId = defaultStaticTenantResolver.resolve(context);
             }
             if (tenantId == null) {
                 tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE);
@@ -236,4 +240,24 @@ public TenantConfigBean getTenantConfigBean() {
         return tenantConfigBean;
     }
 
+    private class DefaultStaticTenantResolver implements TenantResolver {
+
+        @Override
+        public String resolve(RoutingContext context) {
+            String tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE);
+            if (tenantId != null) {
+                return tenantId;
+            }
+            String[] pathSegments = context.request().path().split("/");
+            if (pathSegments.length > 0) {
+                String lastPathSegment = pathSegments[pathSegments.length - 1];
+                if (tenantConfigBean.getStaticTenantsConfig().containsKey(lastPathSegment)) {
+                    return lastPathSegment;
+                }
+            }
+            return null;
+        }
+
+    }
+
 }
diff --git a/...sts/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java b/...sts/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java
diff --git a/integration-tests/keycloak-authorization/src/main/resources/application.properties b/integration-tests/keycloak-authorization/src/main/resources/application.properties
@@ -88,24 +88,24 @@ quarkus.keycloak.policy-enforcer.paths.19.name=Scope Permission Resource
 quarkus.keycloak.policy-enforcer.paths.19.path=/api/permission/scopes/programmatic-way-denied
 
 # Service Tenant
-quarkus.oidc.tenant.auth-server-url=${quarkus.oidc.auth-server-url}
-quarkus.oidc.tenant.client-id=quarkus-app
-quarkus.oidc.tenant.credentials.secret=secret
+quarkus.oidc.api-permission-tenant.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc.api-permission-tenant.client-id=quarkus-app
+quarkus.oidc.api-permission-tenant.credentials.secret=secret
 
-quarkus.keycloak.tenant.policy-enforcer.paths.1.name=Permission Resource Tenant
-quarkus.keycloak.tenant.policy-enforcer.paths.1.path=/api-permission-tenant
-quarkus.keycloak.tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim
+quarkus.keycloak.api-permission-tenant.policy-enforcer.paths.1.name=Permission Resource Tenant
+quarkus.keycloak.api-permission-tenant.policy-enforcer.paths.1.path=/api-permission-tenant
+quarkus.keycloak.api-permission-tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim
 
 # Web App Tenant
-quarkus.oidc.webapp-tenant.auth-server-url=${quarkus.oidc.auth-server-url}
-quarkus.oidc.webapp-tenant.client-id=quarkus-app
-quarkus.oidc.webapp-tenant.credentials.secret=secret
-quarkus.oidc.webapp-tenant.application-type=web-app
-quarkus.oidc.webapp-tenant.roles.source=accesstoken
-
-quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.name=Permission Resource WebApp
-quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.path=/api-permission-webapp
-quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim
+quarkus.oidc.api-permission-webapp.auth-server-url=${quarkus.oidc.auth-server-url}
+quarkus.oidc.api-permission-webapp.client-id=quarkus-app
+quarkus.oidc.api-permission-webapp.credentials.secret=secret
+quarkus.oidc.api-permission-webapp.application-type=web-app
+quarkus.oidc.api-permission-webapp.roles.source=accesstoken
+
+quarkus.keycloak.api-permission-webapp.policy-enforcer.paths.1.name=Permission Resource WebApp
+quarkus.keycloak.api-permission-webapp.policy-enforcer.paths.1.path=/api-permission-webapp
+quarkus.keycloak.api-permission-webapp.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim
 
 admin-url=${keycloak.url}