OIDC Multitenancy Always Resolves to Default

[MatthewThomasTiani]

Hi, I am working through the guide oidc-multitenancy to attempt to set up a very simple REST API I can play with to further learn this extension. My goal is to have a local bearer token validator and also a AWS cognito token validator as this fits my customer requirement.

I am using the latest quarkus version 3.30.3. The configuration I have is as follows,

quarkus.oidc.resolve-tenants-with-issuer=true

#DEFAULT
quarkus.oidc.discovery-enabled=true
quarkus.oidc.auth-server-url=https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4
quarkus.oidc.roles.role-claim-path=cognito:groups
quarkus.oidc.token.principal-claim=username

#TENANT-A
quarkus.oidc.tenant-a.discovery-enabled=false
quarkus.oidc.tenant-a.roles.role-claim-path=extensions/ihe_iua/subject_role/code
quarkus.oidc.tenant-a.token.issuer=my_issuer
quarkus.oidc.tenant-a.public-key={some_really_long_public_key}

When I start quarkus, the logs are as followsm

2025-12-10 16:48:04,683 DEBUG [io.quarkus.oidc.runtime.OidcRecorder] (Quarkus Main Thread) 'public-key' property for the local token verification is set, no connection to the OIDC server will be created

2025-12-10 16:48:05,222 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Get verification JWT Key Set at https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4/.well-known/jwks.json
2025-12-10 16:48:05,292 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Request succeeded: {"keys":[{"alg":"RS256","e":"AQAB","kid":"mu667634vJbcSYnrM+m90nEwicHHOtRjnprdMVcI1BM=","kty":"RSA","n":"rJNBHyZNFXT2aqzMu0gCwnA-40teegPpqLT_Fe6G95Ag8y3gXCfnI30GrpMvdXL-U0jWmEvOUmc67sSCHkfNcVrwRii8rV7QAi7jdPHH8zEvSNTHSZjnxa-9swjJ0W1bIxSTNkMLW3RvwhTWyiZG7A-TGeQy5H3fKn2Hp-PlVqU0---rZcfF4foN5quRDelEqRK_0vGfCzvZuVz3s3meCnRJcMoc-poVEtNyne6KxeToD0DLI_8nc0_J3U90LHiUk7W6yAPVPbnqyQ77FcJ_JUucsCGQFL54fH-lf0OSTeDv81JtOGHgOVMgKHr7d4Z7Jip0WoUW0iwi9KMc4oj8Nw","use":"sig"},{"alg":"RS256","e":"AQAB","kid":"Iy06xS+7aKOvDJ8t9Xs7g7T8mEWsckE/Nqsq/5YP0mM=","kty":"RSA","n":"3JUrWXqNHi-qFsLGkB93o2Q5V5Y10awxiEsnIFnr1gT0cobyqthfOatkHFHGIfj7PXc_Wu4shWSv5f4djHipbbpbvn0XpsDYcWAr6CmvF1M5mPWE2NPxdPzBrGp5hPKTxMiKLg7dsNTbP-L5aw2tMD1RQ0sAkABvQa9T7bVfx8H4l-RDIpprsCbA2Js2MC7DWgR25gNKEWei6Pv2xnIxmsnhKNq1RCN3yiEse3POBwPckekhA2ukCy8SqNPruGsE_dJAmUAZRYfFidC3bibDhv-Y3VVc7O2yt1YpMx7b5Y5ktzzFYE79EwiHHjIiW217-iFM8osi6sbOWp_idNYOvQ","use":"sig"}]}

And then when I send a request with a token obtained from Cognito I see this,

2025-12-10 16:48:45,150 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-3) Looking for a token in the authorization header
2025-12-10 16:48:45,150 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-3) Authorization scheme: Bearer
2025-12-10 16:48:45,152 DEBUG [io.quarkus.oidc.runtime.StaticTenantResolver] (vert.x-eventloop-thread-3) Resolved the 'Default' OIDC tenant based on the matching issuer 'https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4'
2025-12-10 16:48:45,153 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-3) Resolved OIDC tenant id: Default
2025-12-10 16:48:45,154 DEBUG [io.quarkus.oidc.runtime.BearerAuthenticationMechanism] (vert.x-eventloop-thread-3) Starting a bearer access token authentication
2025-12-10 16:48:45,156 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-3) Starting creating SecurityIdentity
2025-12-10 16:48:45,158 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-3) Verifying the JWT token with the local JWK keys

Which makes absolute sense and works.

Then, when I obtain a token which is signed by the private key of tenant-a I see this,

2025-12-10 16:54:27,387 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-10 16:54:27,388 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-10 16:54:27,389 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-2) Resolved OIDC tenant id: Default
2025-12-10 16:54:27,389 DEBUG [io.quarkus.oidc.runtime.BearerAuthenticationMechanism] (vert.x-eventloop-thread-2) Starting a bearer access token authentication
2025-12-10 16:54:27,389 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-10 16:54:27,390 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-10 16:54:27,390 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Starting creating SecurityIdentity
2025-12-10 16:54:27,391 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Verifying the JWT token with the local JWK keys
2025-12-10 16:54:27,392 DEBUG [io.quarkus.oidc.runtime.OidcProvider] (vert.x-eventloop-thread-2) Token verification has failed: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: JWK with kid 'server1' is not available): JsonWebSignature{"kid":"server1","alg":"RS256","typ":"JWT"}->eyJraWQiOiJzZXJ2ZXIxIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3NjUzODU1NzgsIm5iZiI6MTc2NTM4NTU3OCwiYXVkIjoiTGFuY2FzaGlyZVNvdXRoQ3VtYnJpYUludGVncmF0ZWRDYXJlU3lzdGVtIiwic3ViIjoiMTkwYmY2OWQtNTBiNC00NTgwLWE2OTEtODg0NmRkMzk4YmVlIiwiZXhwIjoxNzY1Mzg5MTc4LCJqdGkiOiI2YzEwMjkwNy02NDRiLTQ5MDEtOTBhZi04NDYxNzJlNWNhMjAiLCJpc3MiOiJ1cm46dGlhbmktc3Bpcml0OnN0cyIsInNjb3BlIjoiSVRJLTY2IElUSS02NyBJVEktNjggSVRJLTc4IElUSS04MyBQQ0MtNDQiLCJwYXRpZW50X2lkIjoiNzc3Nzc3Nzc3NyIsImV4dGVuc2lvbnMiOnsiaWhlX2l1YSI6eyJob21lX2NvbW11bml0eV9pZCI6InVybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuMi4xLjMuMzEuMi4xLjEuMS4xLjEyIiwic3ViamVjdF9vcmdhbml6YXRpb25faWQiOiJDT1JFIiwic3ViamVjdF9yb2xlIjp7InN5c3RlbSI6IjEuMi4zLjQuNS43IiwiY29kZSI6IkNsaW5pY2FsIiwiZGlzcGxheSI6IkNsaW5pY2FsIn0sInB1cnBvc2Vfb2ZfdXNlIjp7InN5c3RlbSI6IjEuMy42LjEuNC4xLjIxMzY3LjMwMDAuNC4xIiwiY29kZSI6IlRyZWF0bWVudCIsImRpc3BsYXkiOiJUUkVBVE1FTlQifSwic3ViamVjdF9uYW1lIjoidGlhbmlkZXZ0ZWFtQG5ocy5uZXQiLCJzdWJqZWN0X29yZ2FuaXphdGlvbiI6IkZDMSJ9fX0.Gy9k2AjmJZDpz4FhhnBfwFK_JVoBtuVqy3psKUhx9NIAn38SKa-E2iHiS2ZM0D4j7xWUFDQQ8wsuO9cI9DSk7GP2yjJX-_61TLiB-BbXjYoAPTGF5g8n8nQUYXp5tLLSAadsUoV46oCmQgUz4gDU3RQmnCNevlVwZK9OyAcu_WcnTESwJsLIuNLlXSpxY58xTrYbEZWVH1kCRQbl4Ksp6ENzTMJ09Gsphydf7Vb5tAc-vN3dwcPJ0dDhhuaIyjFaTuxzmnz7lgWamTUn9AIsoQ5rB3p_DnEytLLr7Tl9UnSRBHq4kR5I1eN8LlOtdfClD7jZ0SlozqIEw9D3nWmxAA

2025-12-10 16:54:27,393 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) No matching JWK key is found, refreshing and repeating the token verification
2025-12-10 16:54:27,393 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-2) Get verification JWT Key Set at https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4/.well-known/jwks.json
2025-12-10 16:54:27,617 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-2) Request succeeded: {"keys":[{"alg":"RS256","e":"AQAB","kid":"mu667634vJbcSYnrM+m90nEwicHHOtRjnprdMVcI1BM=","kty":"RSA","n":"rJNBHyZNFXT2aqzMu0gCwnA-40teegPpqLT_Fe6G95Ag8y3gXCfnI30GrpMvdXL-U0jWmEvOUmc67sSCHkfNcVrwRii8rV7QAi7jdPHH8zEvSNTHSZjnxa-9swjJ0W1bIxSTNkMLW3RvwhTWyiZG7A-TGeQy5H3fKn2Hp-PlVqU0---rZcfF4foN5quRDelEqRK_0vGfCzvZuVz3s3meCnRJcMoc-poVEtNyne6KxeToD0DLI_8nc0_J3U90LHiUk7W6yAPVPbnqyQ77FcJ_JUucsCGQFL54fH-lf0OSTeDv81JtOGHgOVMgKHr7d4Z7Jip0WoUW0iwi9KMc4oj8Nw","use":"sig"},{"alg":"RS256","e":"AQAB","kid":"Iy06xS+7aKOvDJ8t9Xs7g7T8mEWsckE/Nqsq/5YP0mM=","kty":"RSA","n":"3JUrWXqNHi-qFsLGkB93o2Q5V5Y10awxiEsnIFnr1gT0cobyqthfOatkHFHGIfj7PXc_Wu4shWSv5f4djHipbbpbvn0XpsDYcWAr6CmvF1M5mPWE2NPxdPzBrGp5hPKTxMiKLg7dsNTbP-L5aw2tMD1RQ0sAkABvQa9T7bVfx8H4l-RDIpprsCbA2Js2MC7DWgR25gNKEWei6Pv2xnIxmsnhKNq1RCN3yiEse3POBwPckekhA2ukCy8SqNPruGsE_dJAmUAZRYfFidC3bibDhv-Y3VVc7O2yt1YpMx7b5Y5ktzzFYE79EwiHHjIiW217-iFM8osi6sbOWp_idNYOvQ","use":"sig"}]}

2025-12-10 16:54:27,621 DEBUG [io.quarkus.oidc.runtime.OidcProvider] (vert.x-eventloop-thread-2) Token verification has failed: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: JWK with kid 'server1' is not available): JsonWebSignature{"kid":"server1","alg":"RS256","typ":"JWT"}->eyJraWQiOiJzZXJ2ZXIxIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3NjUzODU1NzgsIm5iZiI6MTc2NTM4NTU3OCwiYXVkIjoiTGFuY2FzaGlyZVNvdXRoQ3VtYnJpYUludGVncmF0ZWRDYXJlU3lzdGVtIiwic3ViIjoiMTkwYmY2OWQtNTBiNC00NTgwLWE2OTEtODg0NmRkMzk4YmVlIiwiZXhwIjoxNzY1Mzg5MTc4LCJqdGkiOiI2YzEwMjkwNy02NDRiLTQ5MDEtOTBhZi04NDYxNzJlNWNhMjAiLCJpc3MiOiJ1cm46dGlhbmktc3Bpcml0OnN0cyIsInNjb3BlIjoiSVRJLTY2IElUSS02NyBJVEktNjggSVRJLTc4IElUSS04MyBQQ0MtNDQiLCJwYXRpZW50X2lkIjoiNzc3Nzc3Nzc3NyIsImV4dGVuc2lvbnMiOnsiaWhlX2l1YSI6eyJob21lX2NvbW11bml0eV9pZCI6InVybjpvaWQ6Mi4xNi44NDAuMS4xMTM4ODMuMi4xLjMuMzEuMi4xLjEuMS4xLjEyIiwic3ViamVjdF9vcmdhbml6YXRpb25faWQiOiJDT1JFIiwic3ViamVjdF9yb2xlIjp7InN5c3RlbSI6IjEuMi4zLjQuNS43IiwiY29kZSI6IkNsaW5pY2FsIiwiZGlzcGxheSI6IkNsaW5pY2FsIn0sInB1cnBvc2Vfb2ZfdXNlIjp7InN5c3RlbSI6IjEuMy42LjEuNC4xLjIxMzY3LjMwMDAuNC4xIiwiY29kZSI6IlRyZWF0bWVudCIsImRpc3BsYXkiOiJUUkVBVE1FTlQifSwic3ViamVjdF9uYW1lIjoidGlhbmlkZXZ0ZWFtQG5ocy5uZXQiLCJzdWJqZWN0X29yZ2FuaXphdGlvbiI6IkZDMSJ9fX0.Gy9k2AjmJZDpz4FhhnBfwFK_JVoBtuVqy3psKUhx9NIAn38SKa-E2iHiS2ZM0D4j7xWUFDQQ8wsuO9cI9DSk7GP2yjJX-_61TLiB-BbXjYoAPTGF5g8n8nQUYXp5tLLSAadsUoV46oCmQgUz4gDU3RQmnCNevlVwZK9OyAcu_WcnTESwJsLIuNLlXSpxY58xTrYbEZWVH1kCRQbl4Ksp6ENzTMJ09Gsphydf7Vb5tAc-vN3dwcPJ0dDhhuaIyjFaTuxzmnz7lgWamTUn9AIsoQ5rB3p_DnEytLLr7Tl9UnSRBHq4kR5I1eN8LlOtdfClD7jZ0SlozqIEw9D3nWmxAA

2025-12-10 16:54:27,623 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Local JWT token verification has failed, attempting the token introspection

It seems to suggest that it has not loaded the tenant-a configuration and cannot route to the relevant config using the issuer.

Can any offer any further advice?

[sberyozkin]

@MatthewThomasTiani I'm not sure at the moment but it might be related to the the fact that tenant-a works without an actual OIDC provider connection and there might be some code there that unintentionally impacts its resolution if it is not a default one.

Can you please make it a default tenant and the cognito one - tenant-a and check if it makes a difference ?

[sberyozkin]

@MatthewThomasTiani or perhaps the bug is to do with the fact that quarkus.oidc.resolve-tenants-with-issuer=true works only with named tenants, which we can easily fix if it proves the case, so another thing to try is to avoid having a default tenant, but only tenant-a, tenant-b, etc

[MatthewThomasTiani]

Hi @sberyozkin, Here is the outputs for your suggested tests.

swapping the default to be tenant-a

Config:

quarkus.oidc.resolve-tenants-with-issuer=true

#NEW TENANT-A
quarkus.oidc.tenant-a.discovery-enabled=true
quarkus.oidc.tenant-a.auth-server-url=https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4
quarkus.oidc.tenant-a.roles.role-claim-path=cognito:groups
quarkus.oidc.tenant-a.token.principal-claim=username

#NEW DEFAULT
quarkus.oidc.discovery-enabled=true
quarkus.oidc.roles.role-claim-path=extensions/ihe_iua/subject_role/code
quarkus.oidc.token.issuer=my_issuer
quarkus.oidc.public-key={some_really_long_public_key}

When starting quarkus is dev mode I see that it does find the Cognito jwks and also it sees there is a public-key configuration.

2025-12-11 08:25:40,374 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Get verification JWT Key Set at https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4/.well-known/jwks.json

2025-12-11 08:25:40,445 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Request succeeded: {"keys":[{"alg":"RS256","e":"AQAB","kid":"mu667634vJbcSYnrM+m90nEwicHHOtRjnprdMVcI1BM=","kty":"RSA","n":"rJNBHyZNFXT2aqzMu0gCwnA-40teegPpqLT_Fe6G95Ag8y3gXCfnI30GrpMvdXL-U0jWmEvOUmc67sSCHkfNcVrwRii8rV7QAi7jdPHH8zEvSNTHSZjnxa-9swjJ0W1bIxSTNkMLW3RvwhTWyiZG7A-TGeQy5H3fKn2Hp-PlVqU0---rZcfF4foN5quRDelEqRK_0vGfCzvZuVz3s3meCnRJcMoc-poVEtNyne6KxeToD0DLI_8nc0_J3U90LHiUk7W6yAPVPbnqyQ77FcJ_JUucsCGQFL54fH-lf0OSTeDv81JtOGHgOVMgKHr7d4Z7Jip0WoUW0iwi9KMc4oj8Nw","use":"sig"},{"alg":"RS256","e":"AQAB","kid":"Iy06xS+7aKOvDJ8t9Xs7g7T8mEWsckE/Nqsq/5YP0mM=","kty":"RSA","n":"3JUrWXqNHi-qFsLGkB93o2Q5V5Y10awxiEsnIFnr1gT0cobyqthfOatkHFHGIfj7PXc_Wu4shWSv5f4djHipbbpbvn0XpsDYcWAr6CmvF1M5mPWE2NPxdPzBrGp5hPKTxMiKLg7dsNTbP-L5aw2tMD1RQ0sAkABvQa9T7bVfx8H4l-RDIpprsCbA2Js2MC7DWgR25gNKEWei6Pv2xnIxmsnhKNq1RCN3yiEse3POBwPckekhA2ukCy8SqNPruGsE_dJAmUAZRYfFidC3bibDhv-Y3VVc7O2yt1YpMx7b5Y5ktzzFYE79EwiHHjIiW217-iFM8osi6sbOWp_idNYOvQ","use":"sig"}]}

2025-12-11 08:25:40,456 DEBUG [io.quarkus.oidc.runtime.OidcRecorder] (Quarkus Main Thread) 'public-key' property for the local token verification is set, no connection to the OIDC server will be created
2025-12-11 08:25:40,515 INFO  [io.quarkus] (Quarkus Main Thread) code-with-quarkus 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.30.3) started in 2.229s. Listening on: http://localhost:8080

Request with cognito token

2025-12-11 08:30:21,089 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-3) Looking for a token in the authorization header
2025-12-11 08:30:21,089 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-3) Authorization scheme: Bearer
2025-12-11 08:30:21,091 DEBUG [io.quarkus.oidc.runtime.StaticTenantResolver] (vert.x-eventloop-thread-3) Resolved the 'tenant-a' OIDC tenant based on the matching issuer 'https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4'
2025-12-11 08:30:21,092 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-3) Resolved OIDC tenant id: tenant-a
2025-12-11 08:30:21,093 DEBUG [io.quarkus.oidc.runtime.BearerAuthenticationMechanism] (vert.x-eventloop-thread-3) Starting a bearer access token authentication
2025-12-11 08:30:21,095 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-3) Starting creating SecurityIdentity
2025-12-11 08:30:21,096 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-3) Verifying the JWT token with the local JWK keys

Looks happy, I see Resolved OIDC tenant id: tenant-a and I get a 200 response.

Request with local token

2025-12-11 08:34:10,854 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-11 08:34:10,854 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-11 08:34:10,855 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-2) Resolved OIDC tenant id: Default
2025-12-11 08:34:10,856 DEBUG [io.quarkus.oidc.runtime.BearerAuthenticationMechanism] (vert.x-eventloop-thread-2) Starting a bearer access token authentication
2025-12-11 08:34:10,856 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-11 08:34:10,856 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-11 08:34:10,857 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Starting creating SecurityIdentity
2025-12-11 08:34:10,857 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Performing token verification with a configured public key
2025-12-11 08:34:10,859 INFO  [io.quarkus.http.access-log] (executor-thread-1) 

Now this worked, which I did not expect. This suggests to me that is may still be failing on issuer resolution and the fact that this is the default means it works.

To test this further I will create a second "local" token with a public key configuration and add a tenant-b, therefore having 3 options.

Testing new tenant-b (3rd oidc option)

I will just add the new tenant config and maintain the default as the local and tenant-a as cognito.

Config

quarkus.oidc.resolve-tenants-with-issuer=true

#TENANT-A
quarkus.oidc.tenant-a.discovery-enabled=true
quarkus.oidc.tenant-a.auth-server-url=https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4
quarkus.oidc.tenant-a.roles.role-claim-path=cognito:groups
quarkus.oidc.tenant-a.token.principal-claim=username

#DEFAULT
quarkus.oidc.discovery-enabled=true
quarkus.oidc.roles.role-claim-path=extensions/ihe_iua/subject_role/code
quarkus.oidc.token.issuer=my_issuer
quarkus.oidc.public-key={some_really_long_public_key}

#TENANT B
quarkus.oidc.tenant-b.discovery-enabled=true
quarkus.oidc.tenant-b.roles.role-claim-path=extensions/ihe_iua/subject_role/code
quarkus.oidc.tenant-b.token.issuer=tenant-b
quarkus.oidc.tenant-b.public-key={some_really_long_public_key}

Here is the logs of quarkus starting up with the updated config.

2025-12-11 08:45:38,580 DEBUG [io.quarkus.oidc.runtime.OidcRecorder] (Quarkus Main Thread) 'public-key' property for the local token verification is set, no connection to the OIDC server will be created

2025-12-11 08:45:39,119 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Get verification JWT Key Set at https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4/.well-known/jwks.json
2025-12-11 08:45:39,272 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Request succeeded: {"keys":[{"alg":"RS256","e":"AQAB","kid":"mu667634vJbcSYnrM+m90nEwicHHOtRjnprdMVcI1BM=","kty":"RSA","n":"rJNBHyZNFXT2aqzMu0gCwnA-40teegPpqLT_Fe6G95Ag8y3gXCfnI30GrpMvdXL-U0jWmEvOUmc67sSCHkfNcVrwRii8rV7QAi7jdPHH8zEvSNTHSZjnxa-9swjJ0W1bIxSTNkMLW3RvwhTWyiZG7A-TGeQy5H3fKn2Hp-PlVqU0---rZcfF4foN5quRDelEqRK_0vGfCzvZuVz3s3meCnRJcMoc-poVEtNyne6KxeToD0DLI_8nc0_J3U90LHiUk7W6yAPVPbnqyQ77FcJ_JUucsCGQFL54fH-lf0OSTeDv81JtOGHgOVMgKHr7d4Z7Jip0WoUW0iwi9KMc4oj8Nw","use":"sig"},{"alg":"RS256","e":"AQAB","kid":"Iy06xS+7aKOvDJ8t9Xs7g7T8mEWsckE/Nqsq/5YP0mM=","kty":"RSA","n":"3JUrWXqNHi-qFsLGkB93o2Q5V5Y10awxiEsnIFnr1gT0cobyqthfOatkHFHGIfj7PXc_Wu4shWSv5f4djHipbbpbvn0XpsDYcWAr6CmvF1M5mPWE2NPxdPzBrGp5hPKTxMiKLg7dsNTbP-L5aw2tMD1RQ0sAkABvQa9T7bVfx8H4l-RDIpprsCbA2Js2MC7DWgR25gNKEWei6Pv2xnIxmsnhKNq1RCN3yiEse3POBwPckekhA2ukCy8SqNPruGsE_dJAmUAZRYfFidC3bibDhv-Y3VVc7O2yt1YpMx7b5Y5ktzzFYE79EwiHHjIiW217-iFM8osi6sbOWp_idNYOvQ","use":"sig"}]}

2025-12-11 08:45:39,274 DEBUG [io.quarkus.oidc.runtime.OidcRecorder] (Quarkus Main Thread) 'public-key' property for the local token verification is set, no connection to the OIDC server will be created
2025-12-11 08:45:39,340 INFO  [io.quarkus] (Quarkus Main Thread) code-with-quarkus 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.30.3) started in 2.167s. Listening on: http://localhost:8080

We can see there are now 2 outputs for public-key which suggests it has found the config.

Request for tenant-b

2025-12-11 08:46:50,502 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-11 08:46:50,502 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-11 08:46:50,504 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-2) Resolved OIDC tenant id: Default
2025-12-11 08:46:50,504 DEBUG [io.quarkus.oidc.runtime.BearerAuthenticationMechanism] (vert.x-eventloop-thread-2) Starting a bearer access token authentication
2025-12-11 08:46:50,505 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-11 08:46:50,505 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-11 08:46:50,507 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Starting creating SecurityIdentity
2025-12-11 08:46:50,508 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-2) Performing token verification with a configured public key
2025-12-11 08:46:50,514 DEBUG [io.quarkus.oidc.runtime.OidcProvider] (vert.x-eventloop-thread-2) Token verification has failed: Invalid JWS Signature: JsonWebSignature{"kid":"externaldevuser","alg":"RS256","typ":"JWT"}->eyJraWQiOiJleHRlcm5hbGRldnVzZXIiLCJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3NjU0NDI1MDUsIm5iZiI6MTc2NTQ0MjUwNSwiYXVkIjoiTGFuY2FzaGlyZVNvdXRoQ3VtYnJpYUludGVncmF0ZWRDYXJlU3lzdGVtIiwic3ViIjoiMzM4NGFhY2UtYjNiZC00YWVhLWJjNTUtYmUxM2UwOTgzOWQ3IiwiZXhwIjoxNzY1NDQ2MTA1LCJqdGkiOiIyZjFiMzYzNy04NzE4LTRmNDYtODZjZC0zMmRmNTNiMzZhNDIiLCJpc3MiOiJ0ZW5hbnQtYiIsInNjb3BlIjoiSVRJLTY2IElUSS02NyBJVEktNjggSVRJLTc4IElUSS04MyIsImdyb3VwcyI6WyJDbGluaWNhbCJdLCJleHRlbnNpb25zIjp7ImloZV9pdWEiOnsiaG9tZV9jb21tdW5pdHlfaWQiOiJ1cm46b2lkOjIuMTYuODQwLjEuMTEzODgzLjIuMS4zLjMxLjIuMS4xLjEuMS4xMiIsInN1YmplY3Rfb3JnYW5pemF0aW9uX2lkIjoidXJuOjJ0c29sdXRpb25zIiwic3ViamVjdF9yb2xlIjp7InN5c3RlbSI6IjEuMi4zLjQuNS43IiwiY29kZSI6IkNsaW5pY2FsIiwiZGlzcGxheSI6IlJPTEUifSwicHVycG9zZV9vZl91c2UiOnsic3lzdGVtIjoiMS4zLjYuMS40LjEuMjEzNjcuMzAwMC40LjEiLCJjb2RlIjoiVHJlYXRtZW50IiwiZGlzcGxheSI6IlRSRUFUTUVOVCJ9LCJzdWJqZWN0X25hbWUiOiJNYXR0aGV3VGhvbWFzIiwic3ViamVjdF9vcmdhbml6YXRpb24iOiIyVCBTb2x1dGlvbnMifX19.V7y5aZs81Fb8ZstYLR2gJH4enlUnrpCKtFolWfxdTJOmb6tXk5G8iCu7icYfybuYMY8cyzTnYJVYLDOXYPCbVQY9OXfBnbTAd54DWqgRj3T0aUlBLrgpFlEw53r7DAr6ITjUWtb8tX8nkq9xL0umi3ZTjUQNzZhz9JN6zE2pCDIxLIz5_e1yfTR_nnW5eHDesqUIaLtj7OZeC3QIpnKCd7U9YVJnMARJfV9_paCM6ORTisAJSi7DCXe5IB6clt-X-TsFMCFWCU6p6D6sHmrvJYdTvUd3wd8VCnLF1gPHCXUbude4ZL22OvM47aVxYaiex6EmeLRtufqTtjNktw-UKQ

This failed with a 401 - as you can see it selected the default tenant-id.

Named tenants only - no default configruation

Config

I will return back to a two tenant config, one will be cognito, the other will be local.

quarkus.oidc.resolve-tenants-with-issuer=true

#TENANT-A
quarkus.oidc.tenant-a.discovery-enabled=true
quarkus.oidc.tenant-a.auth-server-url=https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4
quarkus.oidc.tenant-a.roles.role-claim-path=cognito:groups
quarkus.oidc.tenant-a.token.principal-claim=username

#TENANT-B
quarkus.oidc.tenant-b.discovery-enabled=true
quarkus.oidc.tenant-b.roles.role-claim-path=extensions/ihe_iua/subject_role/code
quarkus.oidc.tenant-b.token.issuer=my_issuer
quarkus.oidc.tenant-b.public-key={some_really_long_public_key}

Here is the logs of quarkus starting up with the updated config.

2025-12-11 08:51:57,700 DEBUG [io.quarkus.oidc.runtime.OidcRecorder] (Quarkus Main Thread) 'public-key' property for the local token verification is set, no connection to the OIDC server will be created

2025-12-11 08:51:58,177 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Get verification JWT Key Set at https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4/.well-known/jwks.json
2025-12-11 08:51:58,220 DEBUG [io.quarkus.oidc.runtime.OidcProviderClientImpl] (vert.x-eventloop-thread-1) Request succeeded: {"keys":[{"alg":"RS256","e":"AQAB","kid":"mu667634vJbcSYnrM+m90nEwicHHOtRjnprdMVcI1BM=","kty":"RSA","n":"rJNBHyZNFXT2aqzMu0gCwnA-40teegPpqLT_Fe6G95Ag8y3gXCfnI30GrpMvdXL-U0jWmEvOUmc67sSCHkfNcVrwRii8rV7QAi7jdPHH8zEvSNTHSZjnxa-9swjJ0W1bIxSTNkMLW3RvwhTWyiZG7A-TGeQy5H3fKn2Hp-PlVqU0---rZcfF4foN5quRDelEqRK_0vGfCzvZuVz3s3meCnRJcMoc-poVEtNyne6KxeToD0DLI_8nc0_J3U90LHiUk7W6yAPVPbnqyQ77FcJ_JUucsCGQFL54fH-lf0OSTeDv81JtOGHgOVMgKHr7d4Z7Jip0WoUW0iwi9KMc4oj8Nw","use":"sig"},{"alg":"RS256","e":"AQAB","kid":"Iy06xS+7aKOvDJ8t9Xs7g7T8mEWsckE/Nqsq/5YP0mM=","kty":"RSA","n":"3JUrWXqNHi-qFsLGkB93o2Q5V5Y10awxiEsnIFnr1gT0cobyqthfOatkHFHGIfj7PXc_Wu4shWSv5f4djHipbbpbvn0XpsDYcWAr6CmvF1M5mPWE2NPxdPzBrGp5hPKTxMiKLg7dsNTbP-L5aw2tMD1RQ0sAkABvQa9T7bVfx8H4l-RDIpprsCbA2Js2MC7DWgR25gNKEWei6Pv2xnIxmsnhKNq1RCN3yiEse3POBwPckekhA2ukCy8SqNPruGsE_dJAmUAZRYfFidC3bibDhv-Y3VVc7O2yt1YpMx7b5Y5ktzzFYE79EwiHHjIiW217-iFM8osi6sbOWp_idNYOvQ","use":"sig"}]}

2025-12-11 08:51:58,222 DEBUG [io.quarkus.oidc.runtime.OidcRecorder] (Quarkus Main Thread) Default tenant is not configured and will be disabled because either 'TenantConfigResolver' which will resolve tenant configurations is registered or named tenants are configured.
2025-12-11 08:51:58,288 INFO  [io.quarkus] (Quarkus Main Thread) code-with-quarkus 1.0.0-SNAPSHOT on JVM (powered by Quarkus 3.30.3) started in 2.085s. Listening on: http://localhost:8080

Request with local token (tenant-b)

2025-12-11 08:54:03,685 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Looking for a token in the authorization header
2025-12-11 08:54:03,685 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-2) Authorization scheme: Bearer
2025-12-11 08:54:03,688 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-2) Resolved OIDC tenant id: Default

This looks very unhappy, in my response I get

< HTTP/1.1 401 Unauthorized
< Content-Type: text/plain;charset=UTF-8
< content-length: 17
<
* Connection #0 to host localhost left intact
Not Authenticated%

From my understanding, this did not attempt to verify the token as it could not match against any configured tenant and since there is no default configuration could not progress any further and then exits the workflow.

Request with cognito token (tenant-a)

2025-12-11 08:57:11,776 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-3) Looking for a token in the authorization header
2025-12-11 08:57:11,777 DEBUG [io.quarkus.oidc.runtime.OidcUtils] (vert.x-eventloop-thread-3) Authorization scheme: Bearer
2025-12-11 08:57:11,777 DEBUG [io.quarkus.oidc.runtime.StaticTenantResolver] (vert.x-eventloop-thread-3) Resolved the 'tenant-a' OIDC tenant based on the matching issuer 'https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_h8lh3paC4'
2025-12-11 08:57:11,778 DEBUG [io.quarkus.oidc.runtime.OidcAuthenticationMechanism] (vert.x-eventloop-thread-3) Resolved OIDC tenant id: tenant-a
2025-12-11 08:57:11,778 DEBUG [io.quarkus.oidc.runtime.BearerAuthenticationMechanism] (vert.x-eventloop-thread-3) Starting a bearer access token authentication
2025-12-11 08:57:11,778 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-3) Starting creating SecurityIdentity
2025-12-11 08:57:11,781 DEBUG [io.quarkus.oidc.runtime.OidcIdentityProvider] (vert.x-eventloop-thread-3) Verifying the JWT token with the local JWK keys
2025-12-11 08:57:11,800 INFO  [io.quarkus.http.access-log] (executor-thread-1) 

this worked, I got a 200 response.

I hope this helps clarify some points, please let me know if theres anything else I can do to test.

Thanks!

[sberyozkin]

Thanks @MatthewThomasTiani , I opened the bug issue to investigate why the local tenant is not resolved correctly