> For the complete documentation index, see [llms.txt](https://andifalk.gitbook.io/openid-connect-workshop/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://andifalk.gitbook.io/openid-connect-workshop/bonus-labs/multi-tenant-server-app.md).

# Multi-Tenant Resource Server

This bonus lab demonstrates the [multi-tenancy](https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2resourceserver-multitenancy) feature of Spring Security.

To start the resource server just run the class *com.example.multitenant.MultiTenantServerAppApplication*.

## Provided API

This resource server just provides one API at <http://localhost:9090>. The API is secured and is only accessible by specifying a bearer JSON web token as *Authorization* header.

The resource server is configured as multi-tenant and as such it accepts access tokens by the following identity providers:

* Auth0 with Issuer <https://access-me.eu.auth0.com/>
* Okta with Issuer <https://dev-667216.oktapreview.com/oauth2/auskfyzkaoXSRnwTV0h7>

To call the API use the following commands ([Httpie](https://httpie.org/#installation) or [Curl](https://curl.haxx.se/download.html)). You may also use [Postman](https://www.getpostman.com/downloads) instead if you like a UI more,

**httpie**

```
http localhost:9090 'Authorization: Bearer [access_token]'
```

**curl**

```bash
curl -H 'Authorization: Bearer [access_token]' \
-v http://localhost:9090 | jq
```

## Using OKTA

To get an access token from [Okta](https://www.okta.com/) use one of the following commands.

**httpie**

```bash
http --form https://dev-667216.oktapreview.com/oauth2/auskfyzkaoXSRnwTV0h7/v1/token grant_type=password \
username=user@example.com password=Library_access#1 client_id=0oapjlvwd21SpAWL20h7 client_secret=Fb_ig1oa9WMzzJzvm9YtFZAiYJu196ZMgy9avOb9 scope="openid profile email"
```

**curl**

```bash
curl -X POST -d 'grant_type=password&username=user@example.com&password=Library_access#1&client_id=0oapjlvwd21SpAWL20h7&client_secret=Fb_ig1oa9WMzzJzvm9YtFZAiYJu196ZMgy9avOb9&scope=openid%20profile%20email' \
https://dev-667216.oktapreview.com/oauth2/auskfyzkaoXSRnwTV0h7/v1/token | jq
```

## Using Auth0

To get an access token from [Auth0](https://auth0.com/) use one of the following commands.

**httpie**

```bash
http --form https://access-me.eu.auth0.com/oauth/token grant_type=password \
username=user@example.com password=user_4demo! client_id=0ed4mVHfXVs294W1Ab5K5YBb7GM7O7Tn client_secret=uP6eNUwC__v7VSQR9ggDaSfRFIAZrHBVXSyCF9pZwkrTX0LJYwjuS5uxO1Wu35Ca \
scope="openid profile email"
```

**curl**

```bash
curl -X POST -d 'grant_type=password&username=user@example.com&password=user_4demo!&client_id=0ed4mVHfXVs294W1Ab5K5YBb7GM7O7Tn&client_secret=uP6eNUwC__v7VSQR9ggDaSfRFIAZrHBVXSyCF9pZwkrTX0LJYwjuS5uxO1Wu35Ca&scope=openid%20profile%20email' \
https://access-me.eu.auth0.com/oauth/token | jq
```
