You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

This page describes changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.

Enabling multitenancy

To use OpenID Connect, multitenancy needs to be enabled (can be added to application.propeties)

blueriq.multi-tenancy.enabled=true

HTTP request validation

When multitenancy is enabled, each HTTP request is validated as following:

  • Check if user is logged in using OpenID Connect → JWT Token Claims should contain tenant claim
  • If user is not logged in, then tenant header should be present and valid. HTTP header is valid when its value is in a list of allowed tenants
  • If user is logged in, then tenant header is not necessary. If it exists, then it needs to match tenant claim 

Tenant claim

JWT token claim that can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID

blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID

Tenant header

HTTP header that is passed in HTTP request, can be configured by changing property blueriq.multi-tenancy.httpHeader

blueriq.multi-tenancy.httpHeader=X-TENANT-ID

Allowed tenants

set of tenants that can be used in system, can be configured using property blueriq.multi-tenancy.allowedTenants

blueriq.multi-tenancy.allowedTenants=blueriq,everest

Configuration OpenID Connect with Multitenancy

To switch into OpenID Connect configuration, following properties need to be added to application.properties

blueriq.security.login-type=openid-connect
blueriq.security.auth-providers.openid-provider.type=openid-connect
blueriq.security.openid-connect.use-discovery=true
blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq
blueriq.security.openid-connect.client-id=blueriq-runtime
blueriq.security.openid-connect.client-secret=very-secret
blueriq.security.openid-connect.scopes=openid
blueriq.security.openid-connect.roles-path=$.roles
blueriq.security.auth-providers-chain=openid-provider
blueriq.security.openid-connect.sso-logout=true
blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout
blueriq.security.jwt-claims.roles-path=$.roles
blueriq.security.jwt-claims.tenant-path=$.tenant

Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:

# blueriq.security.auth-providers.local01.type=in-memory
# blueriq.security.auth-providers.local01.users.location=users.properties
# blueriq.security.auth-providers-chain=local01



  • No labels

Didn't find the answer you were looking for? Try the advanced search