You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.
This page describes changes in HTTP request validation and how to configure OpenID Connect with Multitenancy.
Enabling multitenancy
To use OpenID Connect, multitenancy needs to be enabled (can be added to application.propeties)
blueriq.multi-tenancy.enabled=true
HTTP request validation
When multitenancy is enabled, each HTTP request is validated as following:
- Check if user is logged in using OpenID Connect → JWT Token Claims should contain tenant claim
- If user is not logged in, then tenant header should be present and valid. HTTP header is valid when its value is in a list of allowed tenants
- If user is logged in, then tenant header is not necessary. If it exists, then it needs to match tenant claim
tenant claim - JWT token claim that can be configured by changing property blueriq.security.jwt-claims.claim-mapping.TenantID=$.TenantID
tenant header - HTTP header that is passed in HTTP request, can be configured by changing property blueriq.multi-tenancy.httpHeader=X-TENANT-ID
allowed tenants - set of tenants that can be used in system, can be configured using property blueriq.multi-tenancy.allowedTenants=blueriq,everest
Configuration OpenID Connect with Multitenancy
To switch into OpenID Connect configuration, following properties need to be added to application.properties
blueriq.security.login-type=openid-connect blueriq.security.auth-providers.openid-provider.type=openid-connect blueriq.security.openid-connect.use-discovery=true blueriq.security.openid-connect.token-issuer=http://${MULTITENANCY_HOST}:18034/realms/Blueriq blueriq.security.openid-connect.client-id=blueriq-runtime blueriq.security.openid-connect.client-secret=very-secret blueriq.security.openid-connect.scopes=openid blueriq.security.openid-connect.roles-path=$.roles blueriq.security.auth-providers-chain=openid-provider blueriq.security.openid-connect.sso-logout=true blueriq.security.openid-connect.end-session-endpoint=http://${MULTITENANCY_HOST}:18034/realms/Blueriq/protocol/openid-connect/logout blueriq.security.jwt-claims.roles-path=$.roles blueriq.security.jwt-claims.tenant-path=$.tenant
Also, make sure that there are no existing properties that could override openid-connect configuration. Comment out / remove following:
# blueriq.security.auth-providers.local01.type=in-memory # blueriq.security.auth-providers.local01.users.location=users.properties # blueriq.security.auth-providers-chain=local01