Merge pull request quarkusio#47570 from ayagmar/issues/47562_improve_oidc_tenant_resolver

sberyozkin · web-flow · commit b11cdaf9a39f · 2025-04-29T16:44:58.000+01:00
OIDC : Improve DefaultStaticTenantResolver URL handling
diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/StaticTenantResolver.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/StaticTenantResolver.java
@@ -84,7 +84,7 @@ Uni<String> resolve(RoutingContext context) {
     }
 
     private static final class DefaultStaticTenantResolver implements TenantResolver {
-
+        private static final String PATH_SEPARATOR = "/";
         private final TenantConfigBean tenantConfigBean;
 
         private DefaultStaticTenantResolver(TenantConfigBean tenantConfigBean) {
@@ -93,13 +93,12 @@ private DefaultStaticTenantResolver(TenantConfigBean tenantConfigBean) {
 
         @Override
         public String resolve(RoutingContext context) {
-            String[] pathSegments = context.request().path().split("/");
-            if (pathSegments.length > 0) {
-                String lastPathSegment = pathSegments[pathSegments.length - 1];
-                if (tenantConfigBean.getStaticTenant(lastPathSegment) != null) {
+            String[] pathSegments = context.request().path().split(PATH_SEPARATOR);
+            for (String segment : pathSegments) {
+                if (tenantConfigBean.getStaticTenant(segment) != null) {
                     LOG.debugf(
-                            "Tenant id '%s' is selected on the '%s' request path", lastPathSegment, context.normalizedPath());
-                    return lastPathSegment;
+                            "Tenant id '%s' is selected on the '%s' request path", segment, context.normalizedPath());
+                    return segment;
                 }
             }
             return null;
diff --git a/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/UsersResource.java b/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/UsersResource.java
@@ -1,16 +1,20 @@
 package io.quarkus.it.keycloak;
 
+import static io.quarkus.oidc.runtime.OidcUtils.TENANT_ID_ATTRIBUTE;
+
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.MediaType;
 
 import org.eclipse.microprofile.jwt.JsonWebToken;
 
 import io.quarkus.it.keycloak.model.User;
 import io.quarkus.security.identity.SecurityIdentity;
+import io.vertx.ext.web.RoutingContext;
 
 /**
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -20,6 +24,8 @@ public class UsersResource {
 
     @Inject
     SecurityIdentity identity;
+    @Inject
+    private RoutingContext context;
 
     @GET
     @Path("/me/bearer")
@@ -41,8 +47,23 @@ public User principalNameId() {
     @Path("/preferredUserName/bearer")
     @RolesAllowed("user")
     @Produces(MediaType.APPLICATION_JSON)
-    public User preferredUserName() {
-        return new User(((JsonWebToken) identity.getPrincipal()).getClaim("preferred_username"));
+    public User preferredUserName(@QueryParam("includeTenantId") boolean includeTenantId) {
+        String preferredUsername = ((JsonWebToken) identity.getPrincipal()).getClaim("preferred_username");
+        if (includeTenantId) {
+            String tenantId = context.get(TENANT_ID_ATTRIBUTE);
+            return new User(preferredUsername, tenantId);
+        }
+        return new User(preferredUsername);
+    }
+
+    @GET
+    @Path("/preferredUserName/bearer/token")
+    @RolesAllowed("user")
+    @Produces(MediaType.APPLICATION_JSON)
+    public User preferredUserNameWithExtendedPath() {
+        String preferredUsername = ((JsonWebToken) identity.getPrincipal()).getClaim("preferred_username");
+        String tenantId = context.get(TENANT_ID_ATTRIBUTE);
+        return new User(preferredUsername, tenantId);
     }
 
     @GET
diff --git a/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/model/User.java b/integration-tests/oidc-wiremock/src/main/java/io/quarkus/it/keycloak/model/User.java
@@ -3,12 +3,23 @@
 public class User {
 
     private final String userName;
+    private final String tenantId;
 
     public User(String name) {
         this.userName = name;
+        this.tenantId = null;
+    }
+
+    public User(String userName, String tenantId) {
+        this.userName = userName;
+        this.tenantId = tenantId;
     }
 
     public String getUserName() {
         return userName;
     }
+
+    public String getTenantId() {
+        return tenantId;
+    }
 }
diff --git a/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java b/integration-tests/oidc-wiremock/src/test/java/io/quarkus/it/keycloak/BearerTokenAuthorizationTest.java
@@ -58,6 +58,28 @@ public void testSecureAccessSuccessPreferredUsername() {
         }
     }
 
+    @Test
+    public void testTenantIdFromRoutingContextDefaultTenantResolver() {
+        String username = "alice";
+        String tenantId = "bearer";
+        String accessToken = getAccessToken(username, Set.of("user"));
+
+        RestAssured.given().auth().oauth2(accessToken)
+                .queryParam("includeTenantId", Boolean.TRUE)
+                .when().get("/api/users/preferredUserName/bearer")
+                .then()
+                .statusCode(200)
+                .body("userName", equalTo(username))
+                .body("tenantId", equalTo(tenantId));
+
+        RestAssured.given().auth().oauth2(getAccessToken(username, Set.of("user", "admin")))
+                .when().get("/api/users/preferredUserName/bearer/token")
+                .then()
+                .statusCode(200)
+                .body("userName", equalTo(username))
+                .body("tenantId", equalTo(tenantId));
+    }
+
     @Test
     public void testAccessResourceAzure() throws Exception {
         String azureToken = readFile("token.txt");
