[SpringBoot Adapter] Policy-Enforcer in a Multi-tenant environment is causing random 403

[Vincent Opa]

Hello,

I'm running Keycloak in a multi-tenant environment, resolving the realm at runtime for each request.

The services are all in Spring-Boot 2 and they use the official Keycloak adapter with a custom resolver (as recommended in the doc) in order to load the configuration of the correct realm for the incoming request.

It appears that requests for different realms are impacting each others, making a request for realm1 doing a policy-enforcer check on the realm2 (obviously resulting in a DENIED response from Keycloak server) making the service to reply with a 403, despite the user having the correct permissions.

I've made a repository available on GitHub to document the issue and permit to others to quickly run it: https://github.com/Opa-/keycloak-policy-enforcer-multitenant

I don't know if it is a known issue as I couldn't find anything in issues, forum, mailing lists or something in the documentation pointing out that policy-enforcer could not be used within a multi-tenant environment.

Also I can't find the exact root cause of the issue. If someone with a good knowledge of the Spring-Boot adapter could help that would be very much welcomed :)

Best regards,

Vincent

[Vincent Opa]

Hello,

I fixed the issue and posted a pull request so that someone having the same issue can view: https://github.com/Opa-/keycloak-policy-enforcer-multitenant/pull/1/files

There's nothing wrong with the official SpringBoot adapter, the issue was caused by declaring the policy-enforcer configuration at one place, under "keycloak." properties (like you do when doing the configuration on 1 realm). I had to move these to my custom properties and duplicate them for each realm, which is an acceptable solution :)

I still don't know what exactly is happening when using the "shared" keycloak.policy-enforcer properties.

Note: security-constraints should still be declared under "keycloak."

Regards,

Vincent