Implementing Multitenancy in Spring Authorization Server
These articles are AI-generated summaries. Please check the original sources for full details.
Implement Multitenancy in Spring Authorization Server
The Spring Authorization Server has gained traction since its inception as a side project under Spring’s large portfolio, and as of version 7, it has been incorporated into Spring Security as an official module. Spring Authorization Server, or SAS, is a Spring-based library that lets developers quickly implement an OpenID Connect/OAuth 2.0-compliant identity provider.
Why This Matters
In a standard SAS implementation, clients generally share the same set of keys and, critically, the same issuer, which may pose a security risk if not all clients implement audience validation. Using multitenancy, clients can be segregated so that each tenant uses its own key pairs to sign tokens, ensuring that even if clients from one tenant are compromised, the tokens won’t be recognized by other tenants. For instance, a single server deployment can serve multiple distinct customers, with each customer’s data isolated from the others, reducing the risk of data breaches.
Key Insights
- Spring Authorization Server version 7.x is limited to servlet-based applications, and reactive web-based SAS applications should either be rewritten or stay on version 1.x until an upgrade is feasible.
- The OpenID Connect recommendation regarding multitenancy is followed by SAS, where the issuer URL may have a path after the host:port part, and the path’s last part is used as the tenant identifier.
- Enabling multitenancy support for the server requires adding the property “spring.security.oauth2.authorizationserver.multiple-issuers-allowed” and setting it to true in the application.yaml file.
- The implementation strategy for multitenant-aware components follows a composite delegate approach, where each component receives a map of instances of the same kind indexed by tenant identifier.
Working Example
@ConfigurationProperties(prefix = "multitenant-auth-server")
public class MultitenantAuthServerProperties {
private Map<String, OAuth2AuthorizationServerProperties> tenants = new HashMap<>();
public Map<String, OAuth2AuthorizationServerProperties> getTenants() {
return tenants;
}
public void setTenants(Map<String, OAuth2AuthorizationServerProperties> tenants) {
this.tenants = tenants;
}
}Practical Applications
- Use Case: A company like Stripe or Coinbase can use Spring Authorization Server with multitenancy support to provide secure authentication and authorization for their customers, each with their own isolated tenant.
- Pitfall: A common anti-pattern is to use a single issuer for all clients, which can lead to security risks if not all clients implement audience validation, and a malicious or compromised client may acquire a token and use it to access data intended for other clients.
References:
Continue reading
Next article
Inside OpenAI’s in-house data agent
Related Content
Scaling Multi-tenancy in .NET: Moving Beyond the TenantId Column
Learn why relying on developer discipline for tenant isolation fails as systems scale and how to implement architectural safeguards in .NET.
Securing Remote Access: A Technical Guide to ssh-keygen
Learn how to use ssh-keygen to implement public-key authentication and secure server access using RSA, ECDSA, and Ed25519 algorithms.
Mastering JavaScript Asynchrony: From Callbacks to Promises
Learn how JavaScript's non-blocking architecture uses callbacks and promises to handle heavy operations without freezing the UI or server.