Handling Dynamic Redirect URLs for Multi-Tenant SaaS with OAuth in Quarkus

[uhexos]

Hello everyone,

I'm building a multi-tenant SaaS application using Quarkus and implementing OAuth 2.0 for authentication. Our tenant URLs follow a pattern like http://localhost:9000/store/{tenantId}/dashboard, where {tenantId} is a unique identifier for each tenant (e.g., 314249607888530860).

The challenge I'm facing is how to handle the redirect_uri parameter during the OAuth flow. Since OAuth providers generally discourage or don't allow wildcard redirect URLs for security reasons, I need a way to ensure users are redirected back to the correct tenant-specific URL and their intended destination after successful authentication.

Currently, I have a custom TenantConfigResolver that dynamically determines the OIDC tenant configuration based on the incoming request path. Here's my implementation:

@ApplicationScoped
public class CustomTenantConfigResolver implements TenantConfigResolver {

  @Override
  public Uni<OidcTenantConfig> resolve(
      RoutingContext context, OidcRequestContext<OidcTenantConfig> requestContext) {
    String path = context.request().path();
    String[] parts = path.split("/");

    if (parts.length < 3) {
      return null;
    }

    if ("store".equals(parts[1])) {
      return Uni.createFrom().item(createTenantConfig(parts[2]));
    }

    return null;
  }

  private OidcTenantConfig createTenantConfig(String tenantId) {
    final AuthenticationConfigBuilder authenticationConfigBuilder =
        new AuthenticationConfigBuilder()
            .redirectPath("/auth/callback/store")
            .scopes(
                Arrays.asList(
                    "openid",
                    "profile",
                    "email",
                    "urn:zitadel:iam:user:resourceowner",
                    "urn:zitadel:iam:org:id:" + tenantId))
            .pkceRequired();

    return OidcTenantConfig.authServerUrl("http://localhost:8080")
        .clientId("313636401247776172")
        .tenantId("storeTenant")
        .applicationType(WEB_APP)
        .authentication(authenticationConfigBuilder.build())
        .tokenStateManager()
        .encryptionSecret("changeme")
        .end()
        .logout()
        .path("/logout")
        .extraParams(Map.of("client_id", "313636401247776172"))
        .end()
        .build();
  }
}

My current approach for the callback handler looks like this:

Java

public class CallbackResource {

    @GET
    @PermitAll
    public Response handleCallback(@Context RoutingContext routingContext,
                                   @Context SecurityContext securityContext,
                                   @Context HttpServerRequest request) {
        String originalRequest = null;
        if (routingContext.session() != null) {
            originalRequest = (String) routingContext.session().get("original-request");
        }

        String redirectUrl = originalRequest != null ? originalRequest : "/";

        if (securityContext.getUserPrincipal() instanceof JsonWebToken) {
            JsonWebToken idToken = (JsonWebToken) securityContext.getUserPrincipal();
            String tenantId = idToken.getClaim("urn:zitadel:iam:org:id");
            if (tenantId != null) {
            }
        }

        return Response.seeOther(URI.create(redirectUrl)).build();
    }
}

My current strategy involves setting a generic callback URL (/auth/callback/store) in the tenant configuration and then attempting to retrieve the original requested URL from the session in the callback handler.

However, I'm not seeing the original URL being available in the session within the CallbackResource.

My questions are:

1. What is the recommended approach in a Quarkus SaaS application with OAuth to handle dynamic redirect URLs based on the tenant?
2. How can I ensure that after successful authentication, the user is redirected back to the specific URL they initially requested (e.g., http://localhost:9000/store/314249607888530860/dashboard, e.g., http://localhost:9000/store/314249607888530860/cart, e.g., http://localhost:9000/store/314249607888530860/wishlist etc)?
3. Is my current TenantConfigResolver implementation correctly setting the redirectPath? How does Quarkus OIDC handle this in a multi-tenant context?
4. What is the correct way to preserve the original requested URL before the OAuth redirect and retrieve it in the callback handler within a Quarkus application?

Any insights or best practices would be greatly appreciated!

[sberyozkin]

@uhexos Hi, you can use quarkus.oidc.authentication.restore-path-after-redirect and the user will be redirected to the original path.

Or, in your callback resource, you can inject OidcSession, get the tenant id, and redirect the user further.

You don't need to try to get the state cookie content.

Also, the callback handler should have @Authenticated, by the time it is called , the authorization code flow already completed

[uhexos]

So using the standard OIDC client initialized via the properties file, everything works as expected. If I go to localhost:9000/bankai, although the redirect path is '/' I end up at the bankai page.

Now with the CustomTenantConfigResolver, I visit http://localhost:9000/store/314249607888530860/dashboard the same redirect path "/" I never get to to the dashboard but remain at '/'.

Config

quarkus.oidc.auth-server-url=http://localhost:8080
quarkus.oidc.client-id=313636401247776172
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.redirect-path=/
quarkus.oidc.authentication.pkce-required=true
quarkus.oidc.authentication.scopes=profile,email,urn:zitadel:iam:user:resourceowner
quarkus.analytics.disabled=true
quarkus.oidc.token-state-manager.encryption-secret=12hm2qWErdjYbjK9x8eXUbf6gOcl9X
quarkus.oidc.logout.path=/logout
quarkus.oidc.logout.post-logout-path=/auth/bye
quarkus.oidc.logout.extra-params.client_id=${quarkus.oidc.client-id}
quarkus.oidc.authentication.restore-path-after-redirect=true

[uhexos]

Seems I have figured it out, (shout out to autocomplete) I needed to add .restorePathAfterRedirect() to the request

Request now looks like

  new AuthenticationConfigBuilder()
            .redirectPath("/")
            **.restorePathAfterRedirect()** --> this is the new addition
            .scopes(
                Arrays.asList(
                    "openid",
                    "profile",
                    "email",
                    "urn:zitadel:iam:user:resourceowner",
                    "urn:zitadel:iam:org:id:" + tenantId))
            .pkceRequired();

[sberyozkin]

@uhexos Glad you have figured it out.

Right, when the original request path must be restored, the callback one becomes virtual, in this case its only role is to support whitelisting registered clients, as you pointed out earlier, most providers won't accept wildcard callbacks.

Now that you have it working, as I said earlier, you can try to have a closer control: instead of adding restorePathAfterRedirect, have an actual authenticated callback handler and get a tenant id from the injected OidcSession and redirect yourself with the JAX-RS redirect API, whether it is worth it or not is application specific I guess, you can probably log more details if you do it yourself, etc...

In meantime, I'd like to clarify a couple of things from your comments above:

• You said in one case Quarkus OIDC was not supplying redirect_uri during the redirect ? I can't see how it can ever happen, the adding a redirect URI is not conditional, its value can indeed vary, bur from what I can see it can't really happen. Can you double check it ?
• You said the multi-tenancy demo confused you, can you clarify exactly what did mislead ? May be we should tune some text there

[uhexos]

While I would love to write my own callback I still have no idea how I can get the original intended URL of the user 🙈🙈, I really don't want to redirect them to the homepage everytime they login eg if a user attempted to add to see a product, I want them back on the product after login.

On the issue of the errors

1. Yes so when I take out the .redirectPath(...), I expected that whatever url that triggered the auth call will be passed as the redirect url but instead I saw the following error from the oauth server

{
  "error": "invalid_request",
  "error_description": "The requested redirect_uri is missing in the client configuration. If you have any questions, you may contact the administrator of the application."
}

After double checking the request indeed contains the redirect_uri but that uri isnot registered so I misspoke apologies .

2. For the quickstart the custom resolver uses the deprecated config syntax and also omits the redirect uri. I was confused how Keycloak would be able to resolved the URI but most likely the dev realms are setup with some wildcards to make this possible. As I am not using keycloak I never actually installed the service or imported the realm configs.

[sberyozkin]

@uhexos OK, thanks for the clarifications....

As far as your own callback implementation is concerned, given that you know the structure of the original URl, http://localhost:9000/store/${tenantId}/dashboard, you can have something like

@Authenticated
@Path("my-callback")
public class Callback {

    @Inject OidcSession session;

    @GET
    public Response restoredOriginalPath(@Context UriInfo uriInfo) {
        URI uri = uriInfo.getBaseUriBuilder().path("store").path(session.tenantId()).path("dashboard").build();
        return Response.seeOther(uri);
    }
}

Something like that... Like I said, one does not have to do, but it is worth being aware of this option