Multi-tenant OAuth2 login (authorization-code flow) from Single Page Applications

[lucapino]

Hi all!

I'm trying to migrate a configuration for multitenant transparent login using Keycloak Adapters with Spring Boot 2 to simple Spring Security 6.

I've implemented a solution based on an HeaderBasedConfigResolver that permits redirect to the correct keycloak realm URL, based on an header prevously set, following this article -> https://www.czetsuyatech.com/2020/11/spring-boot-multi-tenancy-with-keycloak.html

With this implementation I implement an HeaderBasedConfigResolver that resolve the configuration based on a specific header so the Keycloak Adapter can redirect to the correct login URL (based on the realm name).

Now, Keycloak Adapters doesn't work anymore with Spring Boot 3, so I was trying to find an alternative solution.

I don't find anything that can fit my needs, but only a solution that prompts for the authorization server to use...

So I'm asking an advice

BR
Luca Tagliani

[ch4mpy]

If you are in the case of "static" mutli-tenancy (you know at startup which issuers you want to trust), a look at the BFF tutorial and more specifically at the GatewayController.

The idea behind this implementation is that a REST endpoint exposes the list of URIs to initiate user authentication (DTO is composed of an URI and a label which might be pretty close to the value of the header you used so far). There is one entry for each client "registration" with authorization-code flow and as you should have one such registration for each issuer.

This achieves what you want with just one small difference: the frontend uses a different URI for each issuer (provided by the Spring OAuth2 client) without any specific header, instead of a unique URI with a different header for each issuer.

[lucapino]

Thanks @ch4mpy for the quick answer, but if you don't mind I will try to describe more in detail my original flow, because I don't think I was clear.

First of all, my tenants are surely statically defined also because the creation of a new tenant cannot be performed at runtime (involves multiple components/DB so this is not the case)

So, my original flow is as follow:

• user browse the URL of the GUI app (e.g. tenant1.example.com)
• the URL is resolved by an NGINX instance that sets a custom header to identify the tenant (it may be different from the subdomain in the URL) then proxy the request to the real SB app
• the SB app, using a custom filter extracts the <tenant_name> and sets the correct configuration on Keycloak Adapter
• the user's browser is redirected to the specific Keycloak URL (e.g. keycloak.example.com/auth/realms/<tenant_name>) for the authentication
• the user authenticate using Keycloak login page and then is redirected back to the app with the Bearer token in the Authentication header

The header set by NGINX is needed at application level to manage the multitenancy (not only for authentication purposes), so I cannot remove it

As you can see, from the user's point of view the flow is automatic (the user doesn't have to choose anything and is redirected to the correct URL of Keycloak as if it is the only one configured)

If I understood well, your solution provides a URL to call to choose the issuer and if the issuer is the only one it will redirect directly to the correct login URL.

I want to avoid to call a custom URL and act as if there is only an authentication server.

Forgive me if this is already understood (or even less clear than before 😉 )

BR
Luca Tagliani

[ch4mpy]

@lucapino as a preamble, apparently, your Angular app is configured as a "public" OAuth2 client, which has been considered a worst practice for years. Spring Security team published about that 2-3 years ago and you might find posts from other security experts even before that. Requests from your Angular app should be authorized with sessions (and CSRF protection), not with tokens. You should probably use a middleware (a Backend For Frontend, aka BFF) between your Angular app and your Spring resource servers to translate from session based security to token based security. But all that is already explained in the tutorial I linked in my preceding comment.

Back to your question: apparently you did not understand the solution in my preceding comment, so I'll try to be very specific with samples.

Let's say that you host two sites:

• https://www.luca.it
• https://www.tagliani.it

Let's now say that each site has it's own realm with respectively as issuers:

• https://sso.lucapino.it/realms/luca
• https://sso.lucapino.it/realms/tagliani

Let's also say that, as BFF, you have a spring-cloud-gateway instance configured with:

• spring-boot-starter-oauth2-client and oauth2Login() to handle OAuth2 authorization-code flow and store tokens in sesssions
• TokenRelay= filter to replace session cookie with the access token in session before forwarding a request from the frontend to a resource server
• StripPrefix=2 filter on route(s) intercepting /bff/v1/** and forwarding to resource server(s), stripping the /bff/v1 prefix
• Spring Security OAuth2 "registrations" for your two issuers

user-name-attribute: preferred_username
luca-issuer: https://sso.lucapino.it/realms/luca
luca-client-id: luca-bff
luca-client-secret: change-me
tagliani-issuer: https://sso.lucapino.it/realms/tagliani
tagliani-client-id: tagliani-bff
tagliani-client-secret: change-me

spring:
  security:
    oauth2:
      client:
        provider:
          luca:
            issuer-uri: ${luca-issuer}
            user-name-attribute: ${user-name-attribute}
          tagliani:
            issuer-uri: ${tagliani-issuer}
            user-name-attribute: ${user-name-attribute}
        registration:
          luca:
            provider: luca
            client-id: ${luca-client-id}
            client-secret: ${luca-client-secret}
            authorization-grant-type: authorization_code
            scope:
            - openid
            - offline_access
          tagliani:
            provider: tagliani
            client-id: ${tagliani-client-id}
            client-secret: ${tagliani-client-secret}
            authorization-grant-type: authorization_code
            scope:
            - openid
            - offline_access

Last, let's consider that you have a reverse-proxy with following routing with a single BFF instance and 2 distinct Angular apps served from nginx containers or dev-servers or whatever:

• https://www.luca.it/ui/** => 1st Angular app that we'll call luca-ui
• https://www.luca.it/login-options => BFF
• https://www.luca.it/oauth2/authorization/** => BFF
• https://www.luca.it/login/oauth2/code/** => BFF
• https://www.luca.it/bff/v1/** => BFF
• https://www.tagliani.it/ui/** => 2nd Angular app that we'll call tagliani-ui
• https://www.tagliani.it/login-options => BFF
• https://www.tagliani.it/oauth2/authorization/** => BFF
• https://www.tagliani.it/login/oauth2/code/** => BFF
• https://www.tagliani.it/bff/v1/** => BFF

Now, on the BFF (which holds the OAuth2 client configuration and is responsible for driving the authorization-code flow), you expose a /login-options endpoint listing options for users to login. This endpoint could answer something like

{
  "luca": "https://www.luca.it/oauth2/authorization/luca",
  "tagliani": "https://www.tagliani.it/oauth2/authorization/tagliani"
}

All the luca-ui has to do to authenticate a user is calling https://www.luca.it/login-options to retrieve the login options offered by the BFF and then follow to the URI associated to luca in the payload => no need to prompt the user for that!

Of course, if you already have a header on the frontend with an identifier of the issuer or registration you want to use with that frontend, you can send it along with the /login-options request and implement the Spring endpoint to return only the login options associated with that issuer or registration.

In any case, your Angular app should be ready to get:

• 0 option (display an error?). This might happen with misconfiguration for instance.
• exactly 1 option (follow redirect without any prompt?). This should be the most frequent case.
• more than 1 options (use business logic or static configuration to filter entries and fallback to the 0 or 1 option behaviors? Prompt the user which to use?). This can happen when you configure more than one registrations with authorization-code for a given issuer (different OAuth2 client, different scopes, ...), but this is pretty rare.

I hope you can adapt by yourself the use-case above if you prefer to use https://www.lucapino.it/luca/** and https://www.lucapino.it/tagliani/** instead of https://www.luca.it/ui/** and https://www.tagliani.it/ui/** for your Angular apps or if you want to add Keycloak to the services behind the reverse-proxy (to easily display login forms in iframes for instance).

On the resource server side, this is just standard "static" multi-tenancy configuration: requests will arrive from the BFF with tokens containing either https://sso.lucapino.it/realms/luca or https://sso.lucapino.it/realms/tagliani as issuer and the resource server should accept both. spring-addons supports that out of the box.

[lucapino]

Hi @ch4mpy, first of all a big thanks for your help! 🙇🏼‍♂️

But, as I was thinking, I didn't clearly define my scenario, so your solution fits perfectly for a case that I think it's not mine.

Forgive me, but my scenario is more complicated

I have an architecture where the angular app is deployed inside a spring boot microservice and served by its embedded Tomcat.

Let's call this app ui-webapp

This angular app is not a real SPA, because we have different pages for different operations (dashboard, document view and search).

This is the ONLY instance of the frontend SB app that serves ALL the tenants

To display its UI, the app nedds to call other microservices (all SB) that provides secured REST API and are not exposed externally to the browser (are in a so-called trusted zone)

To protect the trusted zone there is a gateway (SB3 with Spring Cloud Gateway) that checks the Bearer token validity before permitting the communication to proceed to these microservices.

For this purpose, inside the frontend app also is configured a Zuul proxy that forwards calls to these microservices through the gateway (think about it as a BFF), to avoid CORS (angular always call its own backend on the same URL) and preserve the Bearer token.

Currently, I achieve this by the use of an NGINX reverse proxy that resolve the different URL to the same app, setting only the custom header (e.g. https://luca.ui-webapp.example.com, https://tagliani.ui-webapp.example.com, all resolving to the same ui-webapp)

The auth server, being a SINGLE instance of Keycloak expose its realms under https://keycloak-server.example.com/auth/realms/<realm_name>

What I want to achieve (and what I have with the current SB2 implementation) is that when a browser calls the public URL (through NGINX) on the app (the home or every other page, eventually with a querystring), it's redirected to the keycloak-server login without the need to use a particular URL

After the authentication the user should be redirected to the original URL called.

This is a possible representation of the flow:

0. User writes the URL on the browser https://luca.ui-webapp.example.com/dashboard?orderBy=date
1. The app use https://kycloak-server.example.com/auth/realms/luca and redirect to the correct login page (this is the magic made by the custom configuration and the use of the Keycloak Adapter)
2. The user authenticate inside Keycloak, generating a token
3. The browser redirects to the original URL and the SB app extracts and verifies the access token present in the Authentication header and sets the current SecurityContext
4. The browser display the https://luca.ui-webapp.example.com/deshboard?orderBy=date page because now each angular request is authenticated by the token

When the angular app needs a resource from a microservice inside the trusted zone it calls an URL of the following format:
https://luca.ui-webapp.example.com/gateway-server/microservice-1/greetings

The Zuul proxy, being configured to serve anything under the context gateway-server to the gateway microservice, forwards the call attaching the Bearer token to the headers, so the microservice can verify the authorization

If I understand correctly your example, my angular code would need to call the /login-options endpoint (that I can surely configure in its own backend) before any request to the backend to retrieve the login URL.

But with my current implementation, my angular app is called after the authorization flow, because all URLs are under security

For simplicity I report the Security Configuration (SB 2) that I have now, and that can explain better the scenario

@Bean
protected CustomSecurityCorsFilter customCorsFilter() {
    return new CustomSecurityCorsFilter();
}

@Bean(name = "customKeycloakUtilFactory")
public CustomKeycloakUtilFactory customKeycloakUtilFactory(CustomKeycloakSpringBootProperties config) {
    return new CustomKeycloakUtilFactory(config);
}

/**
 * Defines the session authentication strategy.
 */
@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    // required for bearer-only applications.
    return new NullAuthenticatedSessionStrategy();
}

/**
 * Registers the KeycloakAuthenticationProvider with the authentication manager.
 */
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
    // simple Authority Mapper to avoid ROLE_
    keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(keycloakAuthenticationProvider);
}

/**
 * Required to handle spring boot configurations
 */
@Bean
public KeycloakConfigResolver KeycloakConfigResolver(CustomKeycloakUtilFactory factory) {
    return new HeaderBasedConfigResolver(factory);
}

@Bean
public CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowedOrigins(Arrays.asList("*"));
    configuration.setAllowedMethods(Arrays.asList(HttpMethod.OPTIONS.name(), "GET", "POST"));
    configuration.setAllowedHeaders(Arrays.asList("Access-Control-Allow-Headers", "Access-Control-Allow-Origin",
        "Authorization", "realm"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
}


@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .sessionManagement()
        // use previously declared bean
        .sessionAuthenticationStrategy(sessionAuthenticationStrategy())

        // keycloak filters for securisation
        .and()
        // this is needed to pass the preflight CORS security on BROWSER
        .addFilterBefore(customCorsFilter(), SecurityContextPersistenceFilter.class)
        .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
        .addFilterBefore(keycloakAuthenticationProcessingFilter(), X509AuthenticationFilter.class)
        .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())

        // add cors options
        .and().cors()
        // delegate logout endpoint to spring security

        .and()
        .logout()
        .logoutUrl("/api/auth-helper/logout")
        .invalidateHttpSession(true)
        .deleteCookies("JSESSIONID")
        .logoutSuccessUrl("/").and()
        .authorizeRequests()
        // EVERYTHING under security so we redirect to auth-server  WITHOUT LOADING ANGULAR
        .antMatchers("/ui-webapp-mngmt/actuator/**",
            "/actuator/**",
            "/health/**",
            "/configuration/**",
            "/swagger*/**",
            "/webjars/**",
            "/v2/api-docs",
            "favicon.ico",
            "wm-favicon.svg",
            "wr-favicon.ico",
            // insert /index.html and config.json under security exceptions
            IndexController.INDEX_PATH,
            ApplicationConfigHelperController.BASE_PATH + ApplicationConfigHelperController.CONFIG_PATH)
        .permitAll()
        .anyRequest().authenticated()
        .and()
        .csrf()
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

    http.headers().frameOptions().sameOrigin();
 
}

For me the problem arise because if I don't use the Keycloak Adapter and the solution that I have linked in my previous comment, I have no means to intercept the authorization flow at step 1. of the list above to determine which realm to use, because the flow is managed directly by Spring Security that can use only one configuration

I hope I have been more clearer and ask your forgiveness for my reiterate request 🙏🏼

BR

Luca Tagliani

[ch4mpy]

Edit: my preceding answer probably better covers the subject.

The solution you request sticks to the Angular app being a public client. This is bad. Have you solely read the Final Recommendation from the 1st post in the thread I linked several times already? To be very clear your Angular app should not have access to tokens (which means that it should not be able to send tokens with request) and the OAuth2 client configuration resolution should not be done in Angular.

Appart from that:

• it is generally considered a good practice to have a public landing page for many reasons (UX, search engine indexers, ...)
• you can expose expose Angular assets publicly, have Angular app initialize, fetch login-options and then immediately redirect to login (but again, actually displaying a welcome page is probably a better idea, even if any request to the backend will require some authorization)
• serving Angular assets from a Spring servlet is far from being optimal
• you don't have to serve Angular from a Spring application to achieve SameOrigin: any reverse proxy routing to what serves Angular assets and Spring resource server(s) (or a gateway for it) would do the job. Actually, if you configure your nginx instance to serve the Angular assets, you would have SameOrigin (as long as the browser gets both Angular assets and REST resources through this reverse proxy, you'll have SameOrigin).
• I can't think of your gateway as an OAuth2 BFF because:
  • it does not acquire and store tokens in sessions (it is configured as resource server, not as client with oauth2Login())
  • it does not replace session cookie with access token header when forwarding a request

[lucapino]

Hi @ch4mpy,
hanks for the clarification.

I think that I will go for a deep rewrite of my hybrid application, separating the Angulr part from the SB3 part.

Based on that and following your advices, I think I could customize the /login-options endpoint to manage the custom header required by my application.
With this customization I would provide the one and only login URL that fits correctly with the header name.

At this point I could make my Angular app to automatically redirect to this URL.

For the public landing page I admit it should be better, but I have to talk with my UI developers and check my company requirements...

Again, a big thank you for your patience

BR

Luca Tagliani