Your application validates from both the realms #2
Comments
|
You have a clear authentication context. You may place the tenant identification on the principal and e.g. annotate endpoints to match this. You could even add some logic in between that ties a user and a tenant to a business defined "functional role" per tenant. There are endless possibilities. |
|
There are tons of solution to this problem. At the top of my head you can separate the set of endpoints per tenant by adding a prefix to the URL like /tenant1/api/ then use Spring Aspect around invoke to compare the value of the realm to the one in the URL. But really, it's already up to you. |
|
Can you suggest an example with spring Aspect? |
|
ok .. i've now searching for weeks for a solution until finding this single issue here ... |
|
Hi @goafabric, can you describe what specifically is your problem and why this solution does not work for your use case? |
|
hi @czetsuya as @AasthaSethia already described ... I guess (the combination of) spring securoty and the keycloak adapter does not take the tenantid into account of the session ... So it would be nice to have a working example. e.g. the Quarkus OIDC Implementation does everything right of the box .. simple multi tenancy and when changing you have to relogin |
|
Hi, @goafabric @AasthaSethia did you figure out the workaround for this issue? |
Ideally realm A should only be allowed to access endpoint with realm A in it but in your application once login has happened via realm a, even endpoint with realm B is accessed. can you please guide me what can be done to rectify this?
The text was updated successfully, but these errors were encountered: