Spring Security: Multiple OpenID Connect Clients for Different Paths?

Question

Using Spring Boot 2.1.5 and Spring Security 5, I'm trying to use two different OpenID clients (based in Keycloak). Here is what we have in application.properties.

spring.security.oauth2.client.registration.keycloak-endusersclient.client-id=endusersclient
spring.security.oauth2.client.registration.keycloak-endusersclient.client-secret=7b41aaa4-277f-47cf-9eab-91afacd55d2c
spring.security.oauth2.client.provider.keycloak-endusersclient.issuer-uri=https://mydomain/auth/realms/endusersrealm

spring.security.oauth2.client.registration.keycloak-employeesclient.client-id=employeesclient
spring.security.oauth2.client.registration.keycloak-employeesclient.client-secret=7b41aaa4-277f-47cf-9eab-91afacd55d2d
spring.security.oauth2.client.provider.keycloak-employeesclient.issuer-uri=https://mydomain/auth/realms/employeesrealm

You can see from the snippet above, we are trying to use one OpenID client for endusers (customers) and another for employees.

In the security configuration class, we see how to configure security on different patterns as follows:

public class OpenIDConnectSecurityConfig extends
WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity http) throws Exception {

    // avoid multiple concurrent sessions
    http.sessionManagement().maximumSessions(1);


    http.authorizeRequests()
            .antMatchers("/endusers/**").authenticated()
            .antMatchers("/employees/**").authenticated()
            .anyRequest().permitAll().and()
            .oauth2Login()
            .successHandler(new OpenIDConnectAuthenticationSuccessHandler())
            .and()
            .logout().logoutSuccessUrl("/");

What I don't understand is how to configure each OpenID client to fire on a separate URL pattern. In the example above, we would like to see the endusers client be used when hitting URL's starting with "/endusers", and to use the employees client when hitting URL's starting with "/employees".

Can this be done?

Answer 1

You need to use AuthenticationManagerResolver for the multi-tenant case, in which endusersclient and employeesclient are your tenants.

public class CustomAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {


@Override
public AuthenticationManager resolve(HttpServletRequest request) {
    return fromTenant();
}

private AuthenticationManager fromTenant(HttpServletRequest request) {
            String[] pathParts = request.getRequestURI().split("/");
//TODO find your tanent from the path and return the auth manager
}

// And in your class, it should be like below

private CustomAuthenticationManagerResolver customAuthenticationManagerResolver;

http.authorizeRequests()
        .antMatchers("/endusers/**").authenticated()
        .antMatchers("/employees/**").authenticated()
        .anyRequest().permitAll().and().oauth2ResourceServer().authenticationManagerResolver(this.customAuthenticationManagerResolver);