Versions Compared

Old Version 2

changes.mady.by.user Maciej Wojtasik

Saved on

compared with

New Version Current

changes.mady.by.user Geert Graat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page describes changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.

Enabling multi-tenancy

To use OpenID Connect, multi-tenancy needs to be enabled. Also a list of allowed tenants should be configured.

Code Block
titleapplication.properties
blueriq.multi-tenancy.enabled=true
blueriq.multi-tenancy.allowedTenants=blueriq,everest

HTTP request validation

When multitenancy multi-tenancy is enabled, each HTTP request is validated as followingfollows:

  • Check if the user is logged in using OpenID Connect → JWT Token Claims should contain tenant claimtoken claims should contain the tenant claim.
  • If the user is not logged in, then the tenant header should be present and valid. The HTTP header is valid when its value is in a the list of of allowed tenants.
  • If the user is logged in, then the tenant header is not necessaryrequired. If it exists, then it needs to match the tenant claim value.

Tenant claim

...

The JWT token claim

...

can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID. For example:

Code Block
titleapplication.properties
blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID
tenant

Tenant header

...

The default HTTP header that is passed in the HTTP request

...

"X-TENANT-ID

...

", it can be configured

...

by changing property blueriq.multi-tenancy.

...

Configuration OpenID Connect with Multitenancy

To switch into OpenID Connect configuration, following properties need to be added to application.properties

Code Block
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq
blueriq.security.openid-connect.client-id=blueriq-runtime
blueriq.security.openid-connect.client-secret=very-secret
blueriq.security.openid-connect.scopes=openid
blueriq.security.openid-connect.roles-path=$.roles
blueriq.security.auth-providers-chain=openid-provider
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout
blueriq.security.jwt-claims.roles-path=$.roles
blueriq.security.jwt-claims.tenant-path=$.tenant

Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:

httpHeader. For example:

Code Block
titleapplication.properties
blueriq.multi-tenancy.httpHeader=X-TENANT-ID
Code Block
# blueriq.security.auth-providers.local01.type=in-memory
# blueriq.security.auth-providers.local01.users.location=users.properties
# blueriq.security.auth-providers-chain=local01