Versions Compared

Old Version 5

changes.mady.by.user Maciej Wojtasik

Saved on

compared with

New Version 6

changes.mady.by.user Robin Collard

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page describes changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.

Enabling

...

multi-tenancy

To use OpenID Connect, multitenancy multi-tenancy needs to be enabled (can be added to application.propeties). Also a list of allowed tenants should be configured.

Code Block
titleapplication.properties
blueriq.multi-tenancy.enabled=true
blueriq.multi-tenancy.allowedTenants=blueriq,everest

HTTP request validation

When multitenancy multi-tenancy is enabled, each HTTP request is validated as followingfollows:

  • Check if the user is logged in using OpenID Connect → JWT Token Claims should contain tenant claimtoken claims should contain the tenant claim.
  • If the user is not logged in, then the tenant header should be present and valid. The HTTP header is valid when its value is in a the list of of allowed tenants.
  • If the user is logged in, then the tenant header is not necessaryrequired. If it exists, then it needs to match the tenant claim claim value.

Tenant claim

The JWT token claim that can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID. For example:

Code Block
titleapplication.properties
blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID

Tenant header

The HTTP header that is passed in the HTTP request, can be configured by changing property blueriq.multi-tenancy.httpHeader. For example:

Code Block
titleapplication.properties
blueriq.multi-tenancy.httpHeader=X-TENANT-ID

Allowed tenants

set of tenants that can be used in system, can be configured using property blueriq.multi-tenancy.allowedTenants

Code Block
blueriq.multi-tenancy.allowedTenants=blueriq,everest

Configuration OpenID Connect with Multitenancy

To switch into OpenID Connect configuration, following properties need to be added to application.properties

Code Block
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq
blueriq.security.openid-connect.client-id=blueriq-runtime
blueriq.security.openid-connect.client-secret=very-secret
blueriq.security.openid-connect.scopes=openid
blueriq.security.openid-connect.roles-path=$.roles
blueriq.security.auth-providers-chain=openid-provider
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout
blueriq.security.jwt-claims.roles-path=$.roles
blueriq.security.jwt-claims.tenant-path=$.tenant

Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:

Code Block
# blueriq.security.auth-providers.local01.type=in-memory
# blueriq.security.auth-providers.local01.users.location=users.properties
# blueriq.security.auth-providers-chain=local01