Page History
This page describes changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.
Enabling
...
multi-tenancy
To use OpenID Connect, multitenancy multi-tenancy needs to be enabled (can be added to application.propeties). Also a list of allowed tenants should be configured.
Code Block | ||
---|---|---|
| ||
blueriq.multi-tenancy.enabled=true
blueriq.multi-tenancy.allowedTenants=blueriq,everest |
HTTP request validation
When multitenancy multi-tenancy is enabled, each HTTP request is validated as followingfollows:
- Check if the user is logged in using OpenID Connect → JWT Token Claims should contain tenant claimtoken claims should contain the tenant claim.
- If the user is not logged in, then the tenant header should be present and valid. The HTTP header is valid when its value is in a the list of of allowed tenants.
- If the user is logged in, then the tenant header is not necessaryrequired. If it exists, then it needs to match the tenant claim value.
Tenant claim
...
...
The JWT token claim
...
can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID
...
.
...
tenant header - HTTP header that is passed in HTTP request, can be configured by changing property blueriq.multi-tenancy.httpHeader=X-TENANT-ID
allowed tenants - set of tenants that can be used in system, can be configured using property blueriq.multi-tenancy.allowedTenants=blueriq,everest
For example:
Code Block | ||
---|---|---|
|
Tenant claim
JWT token claim that can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID
Code Block |
---|
blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID |
Tenant header
The default HTTP header that is passed in the HTTP request , can be configured by changing property blueriq.multi-tenancy.httpHeader
...
"X-TENANT-ID
...
Allowed tenants
set of tenants that can be used in system, ", it can be configured using by changing property blueriq.multi-tenancy.httpHeader. allowedTenantsFor example:
Code Block |
---|
blueriq.multi-tenancy.allowedTenants=blueriq,everest |
Configuration OpenID Connect with Multitenancy
...
|
...
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq
blueriq.security.openid-connect.client-id=blueriq-runtime
blueriq.security.openid-connect.client-secret=very-secret
blueriq.security.openid-connect.scopes=openid
blueriq.security.openid-connect.roles-path=$.roles
blueriq.security.auth-providers-chain=openid-provider
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout
blueriq.security.jwt-claims.roles-path=$.roles
blueriq.security.jwt-claims.tenant-path=$.tenant |
Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:
Code Block |
---|
# blueriq.security.auth-providers.local01.type=in-memory # blueriq.security.auth-providers.local01.users.location=users.properties # blueriq.security.auth-providers-chain=local01multi-tenancy.httpHeader=X-TENANT-ID |