Implementing Multitenancy in Spring Authorization Server
These articles are AI-generated summaries. Please check the original sources for full details.
Implement Multitenancy in Spring Authorization Server
The Spring Authorization Server has gained traction since its inception as a side project under Spring’s large portfolio, and as of version 7, it has been incorporated into Spring Security as an official module. Spring Authorization Server, or SAS, is a Spring-based library that lets developers quickly implement an OpenID Connect/OAuth 2.0-compliant identity provider.
Why This Matters
In a standard SAS implementation, clients generally share the same set of keys and, critically, the same issuer, which may pose a security risk if not all clients implement audience validation. Using multitenancy, clients can be segregated so that each tenant uses its own key pairs to sign tokens, ensuring that even if clients from one tenant are compromised, the tokens won’t be recognized by other tenants. For instance, a single server deployment can serve multiple distinct customers, with each customer’s data isolated from the others, reducing the risk of data breaches.
Key Insights
- Spring Authorization Server version 7.x is limited to servlet-based applications, and reactive web-based SAS applications should either be rewritten or stay on version 1.x until an upgrade is feasible.
- The OpenID Connect recommendation regarding multitenancy is followed by SAS, where the issuer URL may have a path after the host:port part, and the path’s last part is used as the tenant identifier.
- Enabling multitenancy support for the server requires adding the property “spring.security.oauth2.authorizationserver.multiple-issuers-allowed” and setting it to true in the application.yaml file.
- The implementation strategy for multitenant-aware components follows a composite delegate approach, where each component receives a map of instances of the same kind indexed by tenant identifier.
Working Example
@ConfigurationProperties(prefix = "multitenant-auth-server")
public class MultitenantAuthServerProperties {
private Map<String, OAuth2AuthorizationServerProperties> tenants = new HashMap<>();
public Map<String, OAuth2AuthorizationServerProperties> getTenants() {
return tenants;
}
public void setTenants(Map<String, OAuth2AuthorizationServerProperties> tenants) {
this.tenants = tenants;
}
}
Practical Applications
- Use Case: A company like Stripe or Coinbase can use Spring Authorization Server with multitenancy support to provide secure authentication and authorization for their customers, each with their own isolated tenant.
- Pitfall: A common anti-pattern is to use a single issuer for all clients, which can lead to security risks if not all clients implement audience validation, and a malicious or compromised client may acquire a token and use it to access data intended for other clients.
References:
Continue reading
Next article
Inside OpenAI’s in-house data agent
Related Content
Optimizing API Rate Limiters: Reducing Latency from 200ms to 3ms with B-Tree Indexing
Implementing a B-tree index on a Postgres rate-limiter table reduced average latency from 182.34ms to 3.12ms and increased throughput to 3120 RPS.
Implementing AES-128 CTR Mode in C: A Step-by-Step Guide
Learn to implement AES-128 CTR encryption in C with 128-bit blocks and dynamic memory management.
How to Design Transactional Agentic AI Systems with LangGraph Using Two-Phase Commit, Human Interrupts, and Safe Rollbacks
This tutorial demonstrates building agentic AI systems with LangGraph, achieving transactional workflows with a 99.9% success rate in controlled environments.