Multi Tenancy with Spring Security OAuth2 Client

Question

I am using Spring Security Oauth2 Client and Keycloak as Identity provider.

My application will be deployed with multiple domain and we want to use single instance of Keycloak.

I have set up 2 realms in a single instance of Keycloak treating them as different tenants.

In the application.properties I have set the properties for two tenants -

But how come the Application 1 with URL - http://demo-app-1.com will redirect to keycloak 1 and similarly for Application 2 with URL - http://demo-app-2.com will redirect to keycloak 2.

server.port=8300
spring.security.oauth2.client.registration.demo1.client-name=spring-boot-web
spring.security.oauth2.client.registration.demo1.client-id=spring-boot-web
spring.security.oauth2.client.registration.demo1.client-secret=213e66d5-206f-4948-bd9d-bfa14a70c4cf
spring.security.oauth2.client.registration.demo1.provider=keycloak
spring.security.oauth2.client.registration.demo1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.demo1.redirect-uri=http://localhost:8300

spring.security.oauth2.client.provider.keycloak.authorization-uri=http://localhost:8081/auth/realms/spring-boot/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.token-uri=http://localhost:8081/auth/realms/spring-boot/protocol/openid-connect/token


spring.security.oauth2.client.registration.demo2.client-name=spring-boot-web
spring.security.oauth2.client.registration.demo2.client-id=spring-boot-web
spring.security.oauth2.client.registration.demo2.client-secret=d69a7fd1-2297-49d0-b236-7b8039c845b2
spring.security.oauth2.client.registration.demo2.provider=keycloak2
spring.security.oauth2.client.registration.demo2.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.demo2.redirect-uri=http://localhost:8301

spring.security.oauth2.client.provider.keycloak2.authorization-uri=http://localhost:8081/auth/realms/spring-boot-2/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak2.token-uri=http://localhost:8081/auth/realms/spring-boot-2/protocol/openid-connect/token

Query - Is there any additional property which we can set which can auto route the requests to the respective realm in Keycloak?

I am getting a page to choose the provider when I hit the application URL which I need to bypass

Answer 1

Here is the Example For Opaque Token (Multitenant Configuration) maybe this is helpful - The Key for Multitenancy in Spring Security is Authentication Manger Resolver

@Component public class CustomAuthenticationManagerResolver implements AuthenticationManagerResolver {

@Override
public AuthenticationManager resolve(HttpServletRequest request) {
    String tenantId = request.getHeader("tenant");
    OpaqueTokenIntrospector opaqueTokenIntrospector;
    if (tenantId.equals("1")) {
        opaqueTokenIntrospector =  new NimbusOpaqueTokenIntrospector(
                "https://test/authorize/oauth2/introspect",
                "clientId",
                "clientSecret"
        );
    } else {
        opaqueTokenIntrospector =  new NimbusOpaqueTokenIntrospector(
                "https://test/authorize/oauth2/introspect",
                "clientId",
                "clientSecret");
    }
    return new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector)::authenticate;
}
}

Web Security Configuration

@Autowired
 private CustomAuthenticationManagerResolver customAuthenticationManagerResolver;




     @Override
        public void configure(HttpSecurity http) throws Exception {
         http.anyRequest()
                        .authenticated().and().oauth2ResourceServer()
                        .authenticationEntryPoint(restEntryPoint).authenticationManagerResolver(customAuthenticationManagerResolver);
    }