Add configuration property to allow multiple issuers

See gh-41355
spring-projects · Jul 17, 2024 · b0b97fb · b0b97fb
1 parent f7780b4
commit b0b97fb
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/...oot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java b/...oot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java
@@ -42,6 +42,30 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean {
 	 */
 	private String issuer;
 
+	/**
+	 * Set to {@code true} if multiple issuers are allowed per host. Using path
+	 * components in the URL of the issuer identifier enables supporting multiple
+	 * issuers per host in a multi-tenant hosting configuration.
+	 *
+	 * <p>
+	 * For example:
+	 * <ul>
+	 * <li>{@code https://example.com/issuer1}</li>
+	 * <li>{@code https://example.com/authz/issuer2}</li>
+	 * </ul>
+	 *
+	 * <p>
+	 * <b>NOTE:</b> Explicitly configuring the issuer identifier via
+	 * {@link #issuer(String)} forces to a single-tenant configuration. Avoid
+	 * configuring the issuer identifier when using a multi-tenant hosting
+	 * configuration, allowing the issuer identifier to be resolved from the
+	 * <i>"current"</i> request.
+	 * @param multipleIssuersAllowed {@code true} if multiple issuers are allowed per
+	 * host, {@code false} otherwise
+	 * @return the {@link Builder} for further configuration
+	 */
+	private boolean multipleIssuersAllowed = false;
+
 	/**
 	 * Registered clients of the Authorization Server.
 	 */

diff --git a/...toconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java b/...toconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
@@ -51,7 +51,8 @@ AuthorizationServerSettings asAuthorizationServerSettings() {
 		OAuth2AuthorizationServerProperties.Endpoint endpoint = this.properties.getEndpoint();
 		OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc();
 		AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder();
-		map.from(this.properties::getIssuer).to(builder::issuer);
+		map.from(this.properties::getIssuer).whenHasText().to(builder::issuer);
+		map.from(this.properties::isMultipleIssuersAllowed).to(builder::multipleIssuersAllowed);
 		map.from(endpoint::getAuthorizationUri).to(builder::authorizationEndpoint);
 		map.from(endpoint::getDeviceAuthorizationUri).to(builder::deviceAuthorizationEndpoint);
 		map.from(endpoint::getDeviceVerificationUri).to(builder::deviceVerificationEndpoint);