OIDC with KeyCloak multi-tenant setup. #52844

mustafamotiwala · 2026-03-02T14:31:46Z

mustafamotiwala
Mar 2, 2026

I am trying to configure my application with OIDC. In our setup, each tenant in KeyCloak is configured in their own realm.
In my quarkus app, I have implemented a TenantConfigResolver which dynamically resolves the issuer to validate that the base URL matches. However, when I try to launch the app, I get an error about quarkus.oidc.auth-server-url not set. When I set the quarkus.oidc.auth-server-url to the base URL for my key-cloak server, the app fails to start because the OIDC endpoints don't work.

What might I be doing wrong? How should I go about doing this? My end-goal is to allow the OAuth2 authentication to work & validate JWT tokens using OIDC - provided the issuer base URL matches our KeyCloak instance.

@sberyozkin · 2026-03-02T14:31:50Z

quarkus-bot[bot]
bot Mar 2, 2026

/cc @sberyozkin (keycloak,oidc)

4 replies

sberyozkin Mar 2, 2026
Collaborator

@mustafamotiwala What Quarkus version is it ? Registering @ApplicationScoped tenant config resolver should be sufficient

mustafamotiwala Mar 2, 2026
Author

It is 3.30.6.

I have the bean defined as:

@ApplicationScoped
public class QuarkusKeycloakTenantConfigResolver implements TenantConfigResolver {
...

Without specifying the quarkus.oidc.auth-server-url the startup fails with:

java.lang.RuntimeException: java.lang.RuntimeException: Failed to start quarkus
	at io.quarkus.test.junit.QuarkusTestExtension.throwBootFailureException(QuarkusTestExtension.java:663)
	at io.quarkus.test.junit.QuarkusTestExtension.interceptTestClassConstructor(QuarkusTestExtension.java:758)
	at java.base/java.util.Optional.orElseGet(Optional.java:364)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
Caused by: java.lang.RuntimeException: Failed to start quarkus
	at io.quarkus.runner.ApplicationImpl.doStart(Unknown Source)
	at io.quarkus.runtime.Application.start(Application.java:101)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at io.quarkus.runner.bootstrap.StartupActionImpl.run(StartupActionImpl.java:350)
	at io.quarkus.test.junit.QuarkusTestExtension.doJavaStart(QuarkusTestExtension.java:229)
	at io.quarkus.test.junit.QuarkusTestExtension.ensureStarted(QuarkusTestExtension.java:637)
	at io.quarkus.test.junit.QuarkusTestExtension.beforeAll(QuarkusTestExtension.java:682)
	... 1 more
Caused by: io.smallrye.mutiny.CompositeException: Multiple exceptions caught:
	[Exception 0] io.quarkus.runtime.configuration.ConfigurationException: 'quarkus.oidc.auth-server-url' property must be configured
	[Exception 1] io.quarkus.oidc.OIDCException
	at...

With quarkus.oidc.auth-server-url set to the base url for my issuer: https://keycloak.example.com/ the startup fails with:

OIDC Server is not available:: io.quarkus.oidc.common.runtime.OidcEndpointAccessException
        at io.quarkus.oidc.common.runtime.OidcCommonUtils.lambda$doDiscoverMetadata$5(OidcCommonUtils.java:604)
        at io.smallrye.context.impl.wrappers.SlowContextualFunction.apply(SlowContextualFunction.java:21)
        at io.smallrye.mutiny.operators.uni.UniOnItemTransform$UniOnItemTransformProcessor.onItem(UniOnItemTransform.java:36)
        at io.smallrye.mutiny.vertx.AsyncResultUni.lambda$subscribe$1(AsyncResultUni.java:35)

sberyozkin Mar 2, 2026
Collaborator

@mustafamotiwala Sure, quarkus.oidc.tenant-enabled=false would be fine, please try.

Users should not be required to do quarkus.oidc.tenant-enabled=false though when a resolver is available, let me check

sberyozkin Mar 2, 2026
Collaborator

This code is not executing for some reasons in your case, https://github.com/quarkusio/quarkus/blob/main/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/TenantContextFactory.java#L189.

rameshreddy-adutla · 2026-03-04T19:57:18Z

rameshreddy-adutla
Mar 4, 2026

Quarkus OIDC has built-in multi-tenant support. The key is implementing a TenantConfigResolver that dynamically resolves the OIDC configuration per request based on the tenant/realm.

Here's the pattern:

@ApplicationScoped
public class CustomTenantConfigResolver implements TenantConfigResolver {

    @Override
    public Uni<OidcTenantConfig> resolve(RoutingContext context, OidcRequestContext<OidcTenantConfig> requestContext) {
        String tenantId = extractTenantId(context); // from path, header, or subdomain
        
        OidcTenantConfig config = new OidcTenantConfig();
        config.setTenantId(tenantId);
        config.setAuthServerUrl("https://keycloak.example.com/realms/" + tenantId);
        config.setClientId("my-app");
        config.setApplicationType(OidcTenantConfig.ApplicationType.SERVICE);
        
        return Uni.createFrom().item(config);
    }
    
    private String extractTenantId(RoutingContext context) {
        // Option 1: From path parameter
        // e.g., /api/{tenant}/resource
        return context.pathParam("tenant");
        
        // Option 2: From header
        // return context.request().getHeader("X-Tenant-ID");
    }
}

Important notes:

Each KeyCloak realm maps to a separate OIDC tenant in Quarkus
Quarkus caches the tenant configs, so resolved configs are reused for subsequent requests with the same tenant ID

You can also use static config in application.properties for known tenants:

quarkus.oidc.tenant-a.auth-server-url=https://keycloak/realms/tenant-a
quarkus.oidc.tenant-a.client-id=my-app

See the Quarkus OIDC Multi-Tenancy guide for the full documentation.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OIDC with KeyCloak multi-tenant setup. #52844

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 4 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

OIDC with KeyCloak multi-tenant setup. #52844

Uh oh!

mustafamotiwala Mar 2, 2026

Replies: 2 comments · 4 replies

Uh oh!

quarkus-bot[bot] bot Mar 2, 2026

Uh oh!

Uh oh!

sberyozkin Mar 2, 2026 Collaborator

Uh oh!

mustafamotiwala Mar 2, 2026 Author

Uh oh!

sberyozkin Mar 2, 2026 Collaborator

Uh oh!

sberyozkin Mar 2, 2026 Collaborator

Uh oh!

rameshreddy-adutla Mar 4, 2026

mustafamotiwala
Mar 2, 2026

Replies: 2 comments 4 replies

quarkus-bot[bot]
bot Mar 2, 2026

sberyozkin Mar 2, 2026
Collaborator

mustafamotiwala Mar 2, 2026
Author

sberyozkin Mar 2, 2026
Collaborator

sberyozkin Mar 2, 2026
Collaborator

rameshreddy-adutla
Mar 4, 2026