From 8d4f5ef12cef44723f5585da8055b4f2eb210865 Mon Sep 17 00:00:00 2001 From: Sergey Beryozkin Date: Mon, 24 Apr 2023 18:55:09 +0100 Subject: [PATCH] Provide default OIDC static tenant resolver --- .../security-openid-connect-multitenancy.adoc | 2 ++ .../runtime/DefaultTenantConfigResolver.java | 24 +++++++++++++++ .../it/keycloak/CustomTenantResolver.java | 22 -------------- .../src/main/resources/application.properties | 30 +++++++++---------- 4 files changed, 41 insertions(+), 37 deletions(-) delete mode 100644 integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java diff --git a/docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc b/docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc index a2f21633539e0..87a5320fc9807 100644 --- a/docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc +++ b/docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc @@ -306,6 +306,8 @@ public class CustomTenantResolver implements TenantResolver { } ---- +In fact, this is how Quarkus OIDC resolves static custom tenants itself if no custom `TenantResolver` is registered. + A similar technique can be used with `TenantConfigResolver` where a `tenant-id` provided in the context can be used to return `OidcTenantConfig` already prepared with the previous request. ==== diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java index 946a02998deae..244b03aab845b 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTenantConfigResolver.java @@ -33,6 +33,8 @@ public class DefaultTenantConfigResolver { private static final String CURRENT_STATIC_TENANT_ID_NULL = "static.tenant.id.null"; private static final String CURRENT_DYNAMIC_TENANT_CONFIG = "dynamic.tenant.config"; + private DefaultStaticTenantResolver defaultStaticTenantResolver = new DefaultStaticTenantResolver(); + @Inject Instance tenantResolver; @@ -133,6 +135,8 @@ private TenantConfigContext getStaticTenantContext(RoutingContext context) { if (tenantId == null && context.get(CURRENT_STATIC_TENANT_ID_NULL) == null) { if (tenantResolver.isResolvable()) { tenantId = tenantResolver.get().resolve(context); + } else if (tenantConfigBean.getStaticTenantsConfig().size() > 0) { + tenantId = defaultStaticTenantResolver.resolve(context); } if (tenantId == null) { tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE); @@ -236,4 +240,24 @@ public TenantConfigBean getTenantConfigBean() { return tenantConfigBean; } + private class DefaultStaticTenantResolver implements TenantResolver { + + @Override + public String resolve(RoutingContext context) { + String tenantId = context.get(OidcUtils.TENANT_ID_ATTRIBUTE); + if (tenantId != null) { + return tenantId; + } + String[] pathSegments = context.request().path().split("/"); + if (pathSegments.length > 0) { + String lastPathSegment = pathSegments[pathSegments.length - 1]; + if (tenantConfigBean.getStaticTenantsConfig().containsKey(lastPathSegment)) { + return lastPathSegment; + } + } + return null; + } + + } + } diff --git a/integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java b/integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java deleted file mode 100644 index 7252dc38ca0d9..0000000000000 --- a/integration-tests/keycloak-authorization/src/main/java/io/quarkus/it/keycloak/CustomTenantResolver.java +++ /dev/null @@ -1,22 +0,0 @@ -package io.quarkus.it.keycloak; - -import jakarta.enterprise.context.ApplicationScoped; - -import io.quarkus.oidc.TenantResolver; -import io.vertx.ext.web.RoutingContext; - -@ApplicationScoped -public class CustomTenantResolver implements TenantResolver { - - @Override - public String resolve(RoutingContext context) { - if (context.request().path().endsWith("tenant")) { - return "tenant"; - } - if (context.request().path().endsWith("webapp")) { - return "webapp-tenant"; - } - - return null; - } -} diff --git a/integration-tests/keycloak-authorization/src/main/resources/application.properties b/integration-tests/keycloak-authorization/src/main/resources/application.properties index 751216865bb88..7869cee4f50fd 100644 --- a/integration-tests/keycloak-authorization/src/main/resources/application.properties +++ b/integration-tests/keycloak-authorization/src/main/resources/application.properties @@ -88,24 +88,24 @@ quarkus.keycloak.policy-enforcer.paths.19.name=Scope Permission Resource quarkus.keycloak.policy-enforcer.paths.19.path=/api/permission/scopes/programmatic-way-denied # Service Tenant -quarkus.oidc.tenant.auth-server-url=${quarkus.oidc.auth-server-url} -quarkus.oidc.tenant.client-id=quarkus-app -quarkus.oidc.tenant.credentials.secret=secret +quarkus.oidc.api-permission-tenant.auth-server-url=${quarkus.oidc.auth-server-url} +quarkus.oidc.api-permission-tenant.client-id=quarkus-app +quarkus.oidc.api-permission-tenant.credentials.secret=secret -quarkus.keycloak.tenant.policy-enforcer.paths.1.name=Permission Resource Tenant -quarkus.keycloak.tenant.policy-enforcer.paths.1.path=/api-permission-tenant -quarkus.keycloak.tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim +quarkus.keycloak.api-permission-tenant.policy-enforcer.paths.1.name=Permission Resource Tenant +quarkus.keycloak.api-permission-tenant.policy-enforcer.paths.1.path=/api-permission-tenant +quarkus.keycloak.api-permission-tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim # Web App Tenant -quarkus.oidc.webapp-tenant.auth-server-url=${quarkus.oidc.auth-server-url} -quarkus.oidc.webapp-tenant.client-id=quarkus-app -quarkus.oidc.webapp-tenant.credentials.secret=secret -quarkus.oidc.webapp-tenant.application-type=web-app -quarkus.oidc.webapp-tenant.roles.source=accesstoken - -quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.name=Permission Resource WebApp -quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.path=/api-permission-webapp -quarkus.keycloak.webapp-tenant.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim +quarkus.oidc.api-permission-webapp.auth-server-url=${quarkus.oidc.auth-server-url} +quarkus.oidc.api-permission-webapp.client-id=quarkus-app +quarkus.oidc.api-permission-webapp.credentials.secret=secret +quarkus.oidc.api-permission-webapp.application-type=web-app +quarkus.oidc.api-permission-webapp.roles.source=accesstoken + +quarkus.keycloak.api-permission-webapp.policy-enforcer.paths.1.name=Permission Resource WebApp +quarkus.keycloak.api-permission-webapp.policy-enforcer.paths.1.path=/api-permission-webapp +quarkus.keycloak.api-permission-webapp.policy-enforcer.paths.1.claim-information-point.claims.static-claim=static-claim admin-url=${keycloak.url}