Multi-tenant OAuth 2.0 with Spring Security 5.3


A very typical OAuth deployment includes an Authorization Server and a set of applications and APIs that trust authorities issued by that Authorization Server.

But what about APIs and applications that serve more than one tenant? Can a single API or application trust multiple Authorization Servers? What about making those decisions programmatically at runtime or via a database? Multi-tenant deployments bring their own set of challenges, especially when you have thousands of tenants of varying shapes and sizes.

Multi-tenancy presents this tricky balance of cost, security, and code complexity. Learn how this comes into play with authentication and authorization, and how Spring Security 5.3 simplifies this concern. In this talk, we'll introduce AuthenticationManagerResolver, a simple interface from Spring Security that packs a lot of punch due to its strategic placement in the filter chain. We’ll also review Spring Security’s ClientRegistrationRepository and where it comes into play. We’ll begin with a very typical OAuth application and then explore a few different deployment models, expanding it throughout the talk into a secure, yet dynamic, database-driven, multi-tenant deployment.

And along the way, we'll pick up some general multi-tenancy principles that can be applied outside of authentication and authorization usecases.

OAuth 2.0
Spring Security

Josh Cummings


Josh loves to code, and his kids love to code, too! Since he was a wee teenager with a TRS-80 from Radio Shack, he's loved building whatever came to mind. These days, he contributes full-time to the Spring Security codebase. He also is the author of a handful of Java web security courses on Pluralsight and loves learning from and mentoring others about application security. When Josh isn't coding, he's dunking over his kids on a seven-foot basketball hoop, eating frosted mini-wheats, or reading Brandon Sanderson. Or he's coding.