I'm experimenting with OIDC multitenancy in Quarkus. The examples in the official documentation use the request path to infer the tenant id and then select the OIDC config based on that.
What I want to achieve instead, is to get the tenant id from a claim in the current users' token.
I have created a custom TenantConfigResolver. To get the claim value I injected SecurityIdentity in the resolver. This works fine.
But the moment I want read a claim from it, using ((OidcJwtCallerPrincipal) securityIdentity.getPrincipal()).getClaim("..."), I get this exception:
java.lang.IllegalStateException: The current thread cannot be blocked: vert.x-eventloop-thread-3.
Same thing happens if I try it in a TenantResolver (as opposed to a TenantConfigResolver).
Does it even make sense what I'm trying to do? And if yes, what is the correct way of doing this?
This is happening because the security identity has not been verified and prepared yet. In this case you need to get the claims from the raw token, use Vert.x RoutingContext which is available as a resolver method parameter (context.request().headers()) to get the token from the Authorization header, split it by ., Base64 URL decode the middle part of the sequence containing claims in JSON format, for example, you can try io.quarkus.oidc.runtime.OidcUtils.decodeJwtContent(rawToken) which will do all of that and return Vert.x JsonObject representation of the claims - now all is ready to check the claim and choose the prepared tenant dynamically. HTH