OIDC with KeyCloak multi-tenant setup.

[mustafamotiwala]

I am trying to configure my application with OIDC. In our setup, each tenant in KeyCloak is configured in their own realm.
In my quarkus app, I have implemented a TenantConfigResolver which dynamically resolves the issuer to validate that the base URL matches. However, when I try to launch the app, I get an error about quarkus.oidc.auth-server-url not set. When I set the quarkus.oidc.auth-server-url to the base URL for my key-cloak server, the app fails to start because the OIDC endpoints don't work.

What might I be doing wrong? How should I go about doing this? My end-goal is to allow the OAuth2 authentication to work & validate JWT tokens using OIDC - provided the issuer base URL matches our KeyCloak instance.

[quarkus-bot[bot]]

/cc @sberyozkin (keycloak,oidc)

[sberyozkin]

@mustafamotiwala What Quarkus version is it ? Registering @ApplicationScoped tenant config resolver should be sufficient

[mustafamotiwala]

It is 3.30.6.

I have the bean defined as:

@ApplicationScoped
public class QuarkusKeycloakTenantConfigResolver implements TenantConfigResolver {
...

Without specifying the quarkus.oidc.auth-server-url the startup fails with:

java.lang.RuntimeException: java.lang.RuntimeException: Failed to start quarkus
	at io.quarkus.test.junit.QuarkusTestExtension.throwBootFailureException(QuarkusTestExtension.java:663)
	at io.quarkus.test.junit.QuarkusTestExtension.interceptTestClassConstructor(QuarkusTestExtension.java:758)
	at java.base/java.util.Optional.orElseGet(Optional.java:364)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
Caused by: java.lang.RuntimeException: Failed to start quarkus
	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
	at io.quarkus.runtime.Application.start(Application.java:101)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at io.quarkus.runner.bootstrap.StartupActionImpl.run(StartupActionImpl.java:350)
	at io.quarkus.test.junit.QuarkusTestExtension.doJavaStart(QuarkusTestExtension.java:229)
	at io.quarkus.test.junit.QuarkusTestExtension.ensureStarted(QuarkusTestExtension.java:637)
	at io.quarkus.test.junit.QuarkusTestExtension.beforeAll(QuarkusTestExtension.java:682)
	... 1 more
Caused by: io.smallrye.mutiny.CompositeException: Multiple exceptions caught:
	[Exception 0] io.quarkus.runtime.configuration.ConfigurationException: 'quarkus.oidc.auth-server-url' property must be configured
	[Exception 1] io.quarkus.oidc.OIDCException
	at...

With quarkus.oidc.auth-server-url set to the base url for my issuer: https://keycloak.example.com/ the startup fails with:

OIDC Server is not available:: io.quarkus.oidc.common.runtime.OidcEndpointAccessException
        at io.quarkus.oidc.common.runtime.OidcCommonUtils.lambda$doDiscoverMetadata$5(OidcCommonUtils.java:604)
        at io.smallrye.context.impl.wrappers.SlowContextualFunction.apply(SlowContextualFunction.java:21)
        at io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor.onItem(UniOnItemTransform.java:36)
        at io.smallrye.mutiny.vertx.AsyncResultUni.lambda$subscribe$1(AsyncResultUni.java:35)

[sberyozkin]

@mustafamotiwala Sure, quarkus.oidc.tenant-enabled=false would be fine, please try.

Users should not be required to do quarkus.oidc.tenant-enabled=false though when a resolver is available, let me check

[sberyozkin]

This code is not executing for some reasons in your case, https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantContextFactory.java#L189.

[rameshreddy-adutla]

Quarkus OIDC has built-in multi-tenant support. The key is implementing a TenantConfigResolver that dynamically resolves the OIDC configuration per request based on the tenant/realm.

Here's the pattern:

@ApplicationScoped
public class CustomTenantConfigResolver implements TenantConfigResolver {

    @Override
    public Uni<OidcTenantConfig> resolve(RoutingContext context, OidcRequestContext<OidcTenantConfig> requestContext) {
        String tenantId = extractTenantId(context); // from path, header, or subdomain
        
        OidcTenantConfig config = new OidcTenantConfig();
        config.setTenantId(tenantId);
        config.setAuthServerUrl("https://keycloak.example.com/realms/" + tenantId);
        config.setClientId("my-app");
        config.setApplicationType(OidcTenantConfig.ApplicationType.SERVICE);
        
        return Uni.createFrom().item(config);
    }
    
    private String extractTenantId(RoutingContext context) {
        // Option 1: From path parameter
        // e.g., /api/{tenant}/resource
        return context.pathParam("tenant");
        
        // Option 2: From header
        // return context.request().getHeader("X-Tenant-ID");
    }
}

Important notes:

1. Each KeyCloak realm maps to a separate OIDC tenant in Quarkus
2. Quarkus caches the tenant configs, so resolved configs are reused for subsequent requests with the same tenant ID
3. You can also use static config in application.properties for known tenants:

   quarkus.oidc.tenant-a.auth-server-url=https://keycloak/realms/tenant-a
   quarkus.oidc.tenant-a.client-id=my-app

See the Quarkus OIDC Multi-Tenancy guide for the full documentation.

[mustafamotiwala]

@rameshreddy-adutla - my requirements are slightly different. i.e. I have a central KC server, and the intent was to connect to my quarkus app to allow authenticating against the different realms on that server. As such, I already have a TenantConfigResolver which validates that the issuer is the correct server and then allows the flow to go through.

What I can not do is update the application.properties & redeploy my application every time a new realm is added to the KeyCloak server. (Compile time vs. runtime realm/tenant resolution)

[eijckron]

@mustafamotiwala I think that if you only need multiple realm support without specific routing that works out of the box, simply configure multiple keycloak realms and Quarkus will pick up the one that matches the configured url