Skip to content

Commit

Permalink
Allow to register OIDC tenants programmatically
Browse files Browse the repository at this point in the history
  • Loading branch information
@michalvavrik
michalvavrik committed Dec 26, 2024
1 parent 5290c33 commit 1b4601d
Show file tree
Hide file tree
Showing 17 changed files with 1,183 additions and 703 deletions.
31 changes: 31 additions & 0 deletions docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1464,6 +1464,37 @@ public class DiscoveryEndpointResponseFilter implements OidcResponseFilter {
<3> Use `OidcRequestContextProperties` request properties to get the tenant id.
<4> Get the response data as String.

== Programmatic OIDC start-up

OIDC tenants can be created programmatically like in the example below:

[source,java]
----
package io.quarkus.it.oidc;
import io.quarkus.oidc.Oidc;
import io.quarkus.oidc.OidcTenantConfig;
import jakarta.enterprise.event.Observes;
public class OidcStartup {
void observe(@Observes Oidc oidc) {
oidc.create(OidcTenantConfig.authServerUrl("http://localhost:8180/realms/quarkus").build());
}
}
----

The code above is a programmatic equivalent to the following configuration in the `application.properties` file:

[source,properties]
----
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
----

For more complex setup involving multiple tenants please see the xref:security-openid-connect-multitenancy.adoc#programmatic-startup[Programmatic OIDC start-up for multitenant application]
section of the OpenID Connect Multi-Tenancy guide.

== References

* xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]
Expand Down
41 changes: 41 additions & 0 deletions docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2049,6 +2049,47 @@ quarkus.log.category."io.quarkus.oidc.runtime.OidcRecorder".min-level=TRACE

From the `quarkus dev` console, type `j` to change the application global log level.

== Programmatic OIDC start-up

OIDC tenants can be created programmatically like in the example below:

[source,java]
----
package io.quarkus.it.oidc;
import io.quarkus.oidc.Oidc;
import io.quarkus.oidc.OidcTenantConfig;
import jakarta.enterprise.event.Observes;
import static io.quarkus.oidc.runtime.OidcTenantConfig.ApplicationType.WEB_APP;
public class OidcStartup {
void observe(@Observes Oidc oidc) {
oidc.create(OidcTenantConfig
.authServerUrl("http://localhost:8180/realms/quarkus")
.applicationType(WEB_APP)
.clientId("quarkus-app")
.credentials().clientSecret("mysecret").end()
.build());
}
}
----

The code above is a programmatic equivalent to the following configuration in the `application.properties` file:

[source,properties]
----
quarkus.oidc.auth-server-url=http://localhost:8180/realms/quarkus
quarkus.oidc.application-type=web-app
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=mysecret
----

For more complex setup involving multiple tenants please see the xref:security-openid-connect-multitenancy.adoc#programmatic-startup[Programmatic OIDC start-up for multitenant application]
section of the OpenID Connect Multi-Tenancy guide.

== References

* xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]
Expand Down
105 changes: 105 additions & 0 deletions docs/src/main/asciidoc/security-openid-connect-multitenancy.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1110,6 +1110,111 @@ The default tenant configuration is automatically disabled when `quarkus.oidc.au

Be aware that tenant-specific configurations can also be disabled, for example: `quarkus.oidc.tenant-a.tenant-enabled=false`.

[[programmatic-startup]]
== Programmatic OIDC start-up for multitenant application

Static OIDC tenants can be created programmatically like in the example below:

[source,java]
----
package io.quarkus.it.oidc;
import io.quarkus.oidc.Oidc;
import io.quarkus.oidc.OidcTenantConfig;
import jakarta.enterprise.event.Observes;
public class OidcStartup {
void observe(@Observes Oidc oidc) { <1>
oidc.create(OidcTenantConfig.authServerUrl("http://localhost:8180/realms/tenant-one").tenantId("tenant-one").build());
oidc.create(OidcTenantConfig.authServerUrl("http://localhost:8180/realms/tenant-two").tenantId("tenant-two").build());
}
}
----
<1> Static tenants must be created in a synchronous manner from the observer method.

The code above is a programmatic equivalent to the following configuration in the `application.properties` file:

[source,properties]
----
quarkus.oidc.tenant-one.auth-server-url=http://localhost:8180/realms/tenant-one
quarkus.oidc.tenant-two.auth-server-url=http://localhost:8180/realms/tenant-two
----

You can also create static tenants based on the tenants configured in the `application.properties` file.
For example, if you need to add only tenant paths programmatically, you can:

.Static application.properties
[source,properties]
----
quarkus.oidc.tenant-two.auth-server-url=http://localhost:8180/realms/tenant-two
quarkus.oidc.tenant-two.tenant-paths=/api/tenant-two/*
----

.Additional property set programmatically
[source,java]
----
package io.quarkus.it.oidc;
import io.quarkus.oidc.Oidc;
import io.quarkus.oidc.OidcTenantConfig;
import jakarta.enterprise.event.Observes;
public class OidcStartup {
void observe(@Observes Oidc oidc, OidcConfig config) {
oidc.create(OidcTenantConfig
.builder(config.namedTenants().get("tenant-two"))
.tenantPaths(getAdditionalTenantPath()) <1>
.build()
);
}
private String getAdditionalTenantPath() {
return "/additional-tenant-path";
}
}
----
<1> The tenant `tenant-two` will have two paths, `/additional-tenant-path` and `/api/tenant-two/*`.

Dynamic OIDC tenants resolved with the <<annotations-tenant-resolver>> can be created whenever necessary:

[source,java]
----
package io.quarkus.it.oidc;
import io.quarkus.oidc.Oidc;
import io.quarkus.oidc.OidcTenantConfig;
import io.smallrye.mutiny.Uni;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
@ApplicationScoped
public class OidcConfigurationService {
@Inject
Oidc oidc;
public void createDynamicTenant(String authServerUrl) {
oidc.create(createConfig(authServerUrl));
}
public Uni<Void> createDynamicTenantNonBlocking(String authServerUrl) {
return oidc.createAsync(createConfig(authServerUrl)); <1>
}
private static OidcTenantConfig createConfig(String authServerUrl) {
return OidcTenantConfig.authServerUrl(authServerUrl).tenantId("tenant-three").build(); <2>
}
}
----
<1> Use the `createAsync` method to create a dynamic tenant on an IO thread.
<2> The tenant `tenant-three` will not be available until you create it.
Please make sure you create tenants during the application start-up.
Creating tenants after your application has started would typically be a bad idea, only useful in special cases.

== References

* xref:security-oidc-configuration-properties-reference.adoc[OIDC configuration properties]
Expand Down
16 changes: 8 additions & 8 deletions .../runtime/src/main/java/io/quarkus/keycloak/pep/runtime/DefaultPolicyEnforcerResolver.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@
import java.util.function.Function;
import java.util.function.Supplier;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Instance;
import jakarta.inject.Singleton;

import org.keycloak.adapters.authorization.PolicyEnforcer;

Expand All @@ -19,14 +19,14 @@
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.runtime.OidcTlsSupport;
import io.quarkus.oidc.runtime.BlockingTaskRunner;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.oidc.runtime.TenantConfigBean;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.tls.TlsConfigurationRegistry;
import io.quarkus.vertx.http.runtime.HttpConfiguration;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;

@Singleton
@ApplicationScoped
public class DefaultPolicyEnforcerResolver implements PolicyEnforcerResolver {

private final TenantPolicyConfigResolver dynamicConfigResolver;
Expand All @@ -36,7 +36,7 @@ public class DefaultPolicyEnforcerResolver implements PolicyEnforcerResolver {
private final long readTimeout;
private final OidcTlsSupport tlsSupport;

DefaultPolicyEnforcerResolver(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config,
DefaultPolicyEnforcerResolver(TenantConfigBean tenantConfigBean, KeycloakPolicyEnforcerConfig config,
HttpConfiguration httpConfiguration, BlockingSecurityExecutor blockingSecurityExecutor,
Instance<TenantPolicyConfigResolver> configResolver,
InjectableInstance<TlsConfigurationRegistry> tlsConfigRegistryInstance) {
Expand All @@ -48,11 +48,11 @@ public class DefaultPolicyEnforcerResolver implements PolicyEnforcerResolver {
this.tlsSupport = OidcTlsSupport.empty();
}

var defaultTenantConfig = OidcConfig.getDefaultTenant(oidcConfig);
var defaultTenantConfig = tenantConfigBean.getDefaultTenant().oidcConfig();
var defaultTenantTlsSupport = tlsSupport.forConfig(defaultTenantConfig.tls());
this.defaultPolicyEnforcer = createPolicyEnforcer(defaultTenantConfig, config.defaultTenant(),
defaultTenantTlsSupport);
this.namedPolicyEnforcers = createNamedPolicyEnforcers(oidcConfig, config, tlsSupport);
this.namedPolicyEnforcers = createNamedPolicyEnforcers(tenantConfigBean, config, tlsSupport);
if (configResolver.isResolvable()) {
this.dynamicConfigResolver = configResolver.get();
this.requestContext = new BlockingTaskRunner<>(blockingSecurityExecutor);
Expand Down Expand Up @@ -105,15 +105,15 @@ public PolicyEnforcer apply(KeycloakPolicyEnforcerTenantConfig tenant) {
});
}

private static Map<String, PolicyEnforcer> createNamedPolicyEnforcers(OidcConfig oidcConfig,
private static Map<String, PolicyEnforcer> createNamedPolicyEnforcers(TenantConfigBean tenantConfigBean,
KeycloakPolicyEnforcerConfig config, OidcTlsSupport tlsSupport) {
if (config.namedTenants().isEmpty()) {
return Map.of();
}

Map<String, PolicyEnforcer> policyEnforcerTenants = new HashMap<>();
for (Map.Entry<String, KeycloakPolicyEnforcerTenantConfig> tenant : config.namedTenants().entrySet()) {
var oidcTenantConfig = getOidcTenantConfig(oidcConfig, tenant.getKey());
var oidcTenantConfig = getOidcTenantConfig(tenantConfigBean, tenant.getKey());
policyEnforcerTenants.put(tenant.getKey(),
createPolicyEnforcer(oidcTenantConfig, tenant.getValue(), tlsSupport.forConfig(oidcTenantConfig.tls())));
}
Expand Down
12 changes: 6 additions & 6 deletions ...ion/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.common.runtime.OidcTlsSupport.TlsConfigSupport;
import io.quarkus.oidc.common.runtime.config.OidcCommonConfig;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.oidc.runtime.OidcTenantConfig;
import io.quarkus.oidc.runtime.TenantConfigBean;
import io.quarkus.runtime.configuration.ConfigurationException;

public final class KeycloakPolicyEnforcerUtil {
Expand Down Expand Up @@ -224,15 +224,15 @@ private static boolean isNotComplexConfigKey(String key) {
return !key.contains(".");
}

static OidcTenantConfig getOidcTenantConfig(OidcConfig oidcConfig, String tenant) {
static OidcTenantConfig getOidcTenantConfig(TenantConfigBean tenantConfigBean, String tenant) {
if (tenant == null || DEFAULT_TENANT_ID.equals(tenant)) {
return OidcConfig.getDefaultTenant(oidcConfig);
return tenantConfigBean.getDefaultTenant().getOidcTenantConfig();
}

var oidcTenantConfig = oidcConfig.namedTenants().get(tenant);
if (oidcTenantConfig == null) {
var staticTenant = tenantConfigBean.getStaticTenant(tenant);
if (staticTenant == null || staticTenant.oidcConfig() == null) {
throw new ConfigurationException("Failed to find a matching OidcTenantConfig for tenant: " + tenant);
}
return oidcTenantConfig;
return staticTenant.oidcConfig();
}
}
Loading

0 comments on commit 1b4601d

Please sign in to comment.