Bearer Token Authorization : multiple <oauth2-introspection> configuration (multi tenancy support) ?

148 views
Skip to first unread message

Olivier Masseau

unread,
Jul 24, 2023, 9:15:08 AM7/24/23
to WildFly
Hello,

I would like to configure Wildfly to perform OAuth2 Bearer Token Authorization as described here :


The problem is that my application needs to support multiple tenants (the tenant is identified by checking the request URL:  http://<tenant>.myapp.example.com), so I need to have multiple <oauth2-introspection> configurations (one for each URL).

Something that would look like this :

<token-realm name="OAuth2Realm" principal-claim="sub">
    <!-- Introspection configuration for tenant1 -->
    <oauth2-introspection
         client-id="my-tenant1-client-id"
         client-secret="keep_it_secret"
         introspection-url="https://tenant1-as.example.com/token/introspect"
         client-ssl-context="user-defined-ssl-context" host-name-verification-policy="ANY" />

    <!-- Introspection configuration for tenant2 -->
    <oauth2-introspection
         client-id="my-tenant2-client-id"
         client-secret="keep_it_secret"
         introspection-url="https://tenant2-as.example.com/token/introspect"
         client-ssl-context="user-defined-ssl-context" host-name-verification-policy="ANY" />
</token-realm>

It seems it is not currently supported.
So is there any solution to this ?
Is there maybe a way I could extend Wildfly's implementation of the oauth2-instrospection mechanism ?
Or maybe define a custom config resolver ?

Something similar to what is available for the Keycloak adapter would be great :





Farah Juma

unread,
Jul 24, 2023, 9:45:07 AM7/24/23
to WildFly
Hi Olivier,

If you're looking for something similar to what's available from the Keycloak adapter, check out this blog post that describes similar multi-tenancy support with the elytron-oidc-client subsystem:

Reply all
Reply to author
Forward
0 new messages