Page History
This page describes changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.
Enabling
...
multi-tenancy
To use OpenID Connect, multitenancy multi-tenancy needs to be enabled (can be added to application.propeties). Also a list of allowed tenants should be configured.
Code Block | ||
---|---|---|
| ||
blueriq.multi-tenancy.enabled=true
blueriq.multi-tenancy.allowedTenants=blueriq,everest |
HTTP request validation
When multitenancy multi-tenancy is enabled, each HTTP request is validated as followingfollows:
- Check if the user is logged in using OpenID Connect → JWT Token Claims should contain tenant claimtoken claims should contain the tenant claim.
- If the user is not logged in, then the tenant header should be present and valid. The HTTP header is valid when its value is in a the list of of allowed tenants.
- If the user is logged in, then the tenant header is not necessaryrequired. If it exists, then it needs to match the tenant claim claim value.
Tenant claim
The JWT token claim that can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID. For example:
Code Block | ||
---|---|---|
| ||
blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID |
Tenant header
The HTTP header that is passed in the HTTP request, can be configured by changing property blueriq.multi-tenancy.httpHeader. For example:
Code Block | ||
---|---|---|
| ||
blueriq.multi-tenancy.httpHeader=X-TENANT-ID |
Allowed tenants
set of tenants that can be used in system, can be configured using property blueriq.multi-tenancy.allowedTenants
Code Block |
---|
blueriq.multi-tenancy.allowedTenants=blueriq,everest |
Configuration OpenID Connect with Multitenancy
To switch into OpenID Connect configuration, following properties need to be added to application.properties
Code Block |
---|
blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq
blueriq.security.openid-connect.client-id=blueriq-runtime
blueriq.security.openid-connect.client-secret=very-secret
blueriq.security.openid-connect.scopes=openid
blueriq.security.openid-connect.roles-path=$.roles
blueriq.security.auth-providers-chain=openid-provider
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout
blueriq.security.jwt-claims.roles-path=$.roles
blueriq.security.jwt-claims.tenant-path=$.tenant |
Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:
Code Block |
---|
# blueriq.security.auth-providers.local01.type=in-memory
# blueriq.security.auth-providers.local01.users.location=users.properties
# blueriq.security.auth-providers-chain=local01 |