Spring Boot 3 Keycloak Multi Tenant Configuration

Question

I have a Spring Boot 3 microservice and a standalone keycloak which has multiple realms. Users can call endpoints and pass the "Authorization" header there, which contains the Bearer jwt token, which specifies one of the existing realms.

How is it possible to implement this behavior when the spring boot microservice accesses the required realm to authenticate the current request, determining the realm dynamically based on the request?

Please note that I am using Spring boot v3.0.6. Previously worked based on the topic Spring Boot Keycloak Multi Tenant Configuration but now we can't use previous approach as was said there Use Keycloak Spring Adapter with Spring Boot 3

I have only one idea's create few oauth2 providers for each realm and somehow implement the choice for target provider in runtime. Thank you very much in advance!

Answer 1

Finaly I found the way to build multy-tenancy using Spring Boot:

https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/multitenancy.html

Answer 2

You can follow my tutorials, all are multi-tenant. All configured for "static" multi-tenancy, but one which demoes conf for "dynamic" tenants.

Some are using just Spring Boot "official" starters and some are using thin wrappers around it. With the latest, you can configure a resource server to accept JWTs issued by as many realms as you want with almost 0 Java conf:

<properties>
    <com.c4-soft.springaddons.version>6.1.9</com.c4-soft.springaddons.version>
</properties>
<dependencies>
    <dependency>
        <groupId>com.c4-soft.springaddons</groupId>
        <artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
        <version>${com.c4-soft.springaddons.version}</version>
    </dependency>
</dependencies>

@Configuration
@EnableMethodSecurity
public static class WebSecurityConfig {
}

scheme: http
origins: ${scheme}://localhost:4200,${scheme}://localhost:8080,${scheme}://localhost:8100
auth-server: https://localhost:8443

com:
  c4-soft:
    springaddons:
      security:
        cors:
        - path: /solutions/**
          allowed-origins: ${origins}
        issuers:
        - location: ${auth-server}/realms/realm1
          username-claim: $.preferred_username
          authorities:
          - path: $.realm_access.roles
          - path: $.resource_access.*.roles
        - location: ${auth-server}/realms/realm2
          username-claim: $.preferred_username
          authorities:
          - path: $.realm_access.roles
          - path: $.resource_access.*.roles
        - location: ${auth-server}/realms/realm3
          username-claim: $.preferred_username
          authorities:
          - path: $.realm_access.roles
          - path: $.resource_access.*.roles
        permit-all:
        - /actuator/health/readiness
        - /actuator/health/liveness
        - /v3/api-docs/**

server:
  ssl:
    enabled: false

---
scheme: https

server:
  ssl:
    enabled: true

spring:
  config:
    activate:
      on-profile: ssl

If the realms are generated at runtime (after the resource servers are started), but you don't want to use "my" starters, then you'll have to refer to Spring Security reference documentation.