Join GitHub today
Multi-tenancy support for OAuth2 #5351
Today, it isn't clear how to best configure Spring Security to support a multi-tenant OAuth2 client.
Here is an example of one approach out in the wild:
We indeed had the requirement to run a single resource server that can validate JWTs issued by multiple issuers. We had to implement our own given the Spring one does not support this and Keycloak adapters only support Keycloak specific issuers.
We had 2 main use cases for multi tenancy:
This use case requires the IssuerResolver to lookup (and cache) issuer metadata JWKS certs.
This use case requires a pre-configured IssuerResolver which is configured with the issuer (iss) name it supports and then either the metadata url or the public cert, where the later does not really work well if your issuer performs key rotation.
Another interesting aspect we ran into was that if we just want to run a API based resource server (ie. Spring Boot micro service) there will be a lot of unnecessary moving parts in the Spring Security configuration. We ended up implementing 3 components (AccessDeniedHandler, AuthenticationFailureHandler and AuthenticationEntryPoint), everything else is surplus and massively overcomplicates things.
In a multi-tenant configuration, each tenant would likely come with its own set of allowed issuers. A tenant-specific request would trust only a subset of the issuers configured for the resource server.
We would need to introduce a selection mechanism to pick the allowed issuer(s) for a request. This
For example, the