-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC tenant resolution policy #33495
Comments
/cc @pedroigor (oidc) |
Hey @sberyozkin , I am missing part where would be |
More I'm thinking about it, less it makes sense to use an annotation. I think we have quite robust path-matching HTTP Security policies now, all we need to do is to offer OIDC-specific policy, for example:
which behind the curtains will be just shared custom HTTP Security policy for path pattern @sberyozkin if you agree, can you adjust the issue description or provide feedback, please? |
Although with proactive auth it would be cool to select the client before initial auth happened. I think I'll avoid HTTP Security policies but major question whether the |
Hi @michalvavrik, sorry, I've totally missed it. I've been rereading the issue. If we have a So I think what you are proposing with |
Description
Right now, in a multi-tenant OIDC setup, users have to write custom
TenantResolver
(to resolve tenant configurations already set inapplication.properties
) orTenantConfigResolver
(if configuations are created dynamically).Custom resolvers usually need to check a path or something else in the request which can be quite boilerplate.
#32864 goes some way toward simplifying it for typical cases involving multiple providers.
When tenant configurations are set in
application.properties
, instead of writing a customTenantResolver
, one can use annotations instead. Which is quite simple but still some code is needed.Implementation ideas
@pedroigor has had an idea of simplifying and enhancing it further with what can be called
tenant resolution policy
annotations, similar to what can be done with HTTP policy configuration, for example:Here, a
tenant-1
OIDC configuration will apply to all paths matching/web-app/*
.It would be the first step, Next steps can involve using custom rules, as well as running multiple ordered resolvers, etc
The text was updated successfully, but these errors were encountered: