/springone2019

Demo steps for Spring One 2019

Primary LanguageJava

Multi-tenancy with OAuth 2.0 and Spring Security

This repo consists of four Spring Boot applications that are secured using Spring Security and OAuth 2.0.

For the application to work, please take the following steps after cloning to your local machine:

  1. Modify your /etc/hosts file

    The demo code points to the endpoint idp:9999 for the Identity Provider. It also refers to each tenant by hostname. So, your machine can resolve this hostname on its own by adding the following to /etc/hosts:

    127.0.0.1   idp
    127.0.0.1   one
    127.0.0.1   two
    127.0.0.1   three
    127.0.0.1   four

    You may need sudo privileges to edit the file.

  2. Start the keycloak docker container

    These demos work with a pre-configured Authorization Server, which you can start up with the following command inside the /etc directory of the demo:

    docker-compose up -d

    Thereafter, you can stop this server with:

    docker-compose stop

    And start it with:

    docker-compose start
  3. Configure tenant

    To do the more advanced demo of adding a tenant dynamically, the tenant application needs to be configured with the master-realm password in Keycloak.

    To do this

     - Log into Keycloak at http://idp:9999 with admin/asdfasdfasdf
     - Select the `master` realm
     - Select `Clients`, and select `master-realm`
     - Change `Access Type` to `confidential`
     - Disable `Direct Access Grants Enabled`
     - Enable `Service Accounts Enabled`
     - Save the client
     - Go to the `Service Account Roles` tab
     - Add `admin` to the effective roles
     - Go to the `Credentials` tab
     - Copy the secret into the `tenant` `application.yml` file
    
  4. Start the servers

    There are four servers, message, user, inbox, tenant. To start each one, you can simply run from the command line from each directory:

    ../mvnw spring-boot:run
  5. Use the application:

    When you navigate to http://one:8080, you'll be invited to authenticate. You can do:

    • rob / password
    • joe / password
    • josh / password

    When you navigate to http://two:8080, you'll be invited to authenticate as well. You can do:

    • filip / password
    • ria / password
    • josh / password
  6. Add a tenant

    To add a tenant, simple run from the etc directory in the project:

    ./add-tenant three

    Then, you'll be able to navigate to http://three:8080 and be invited to authenticate. You can do:

    • rob / password
    • joe / password
    • josh / password

Also, take a look at the Java to HTTP mappings for the Spring Security-powered OAuth 2.0 handshakes.