openid &mdash; milan https://text.tchncs.de/milan/tag:openid Milans personal little blogthingie. :) Fri, 17 Apr 2026 08:05:51 +0000 OpenTalk Multi-Tenancy https://text.tchncs.de/milan/opentalk-multi-tenancy <![CDATA[As of v0.2.0 of the OpenTalk controller, multi-tenancy is supported and enabled by default. This feature is mostly interesting for larger organizations and will become optional as of v0.3.0. However, if you want or must use it (as per releasetag), it will require you to alter your Keycloak setup like follows, otherwise things will not work as expected. Configuring Keycloak Create a new Client scope in your OpenTalk realm with the following parameters: 1.1 Name: tenancy 1.2 Type: default 1.3 Protocol: openid-connect 1.4 Checkboxes: all teh boxes Navigate to the tab Mappers 2.1 Click the new mapper button - By configuration 2.2 Choose Hardcoded claim Fill relevant fields of the new mapper 3.1 Name: tenantid 3.2 Token Claim Name: tenantid 3.3 Claim Value: OpenTalkDefaultTenant 3.4 save Navigate to the Clients section of your realm and select your OtFrontend. Click Add client scope and select the newly added tenancy scope as Default. The new ID should have been added by default in the backend. You can verify this with the k3k-controller tenants command: docker exec -it 123abcde /controller/k3k-controller tenants list. It should return something like: id | oidcid --------------------------------------+----------------------- c9677f8c-1234-1234-1234-12348b5b4bfd | OpenTalkDefaultTenant This command can also set a new id using set-oidc-id, but this would bring the users assigned tenandid out of sync if it already exists. Make sure that the id equals the result of select tenant_id from users; in the database k3k. small#opentalk #keycloak #openid/small Signature (thanks for reading): Follow me on Mastdodon]]> As of v0.2.0 of the OpenTalk controller, multi-tenancy is supported and enabled by default. This feature is mostly interesting for larger organizations and will become optional as of v0.3.0.

However, if you want or must use it (as per releasetag), it will require you to alter your Keycloak setup like follows, otherwise things will not work as expected.

Configuring Keycloak

  1. Create a new Client scope in your OpenTalk realm with the following parameters: 1.1 Name: tenancy 1.2 Type: default 1.3 Protocol: openid-connect 1.4 Checkboxes: all teh boxes
  2. Navigate to the tab Mappers 2.1 Click the new mapper button –> By configuration 2.2 Choose Hardcoded claim
  3. Fill relevant fields of the new mapper 3.1 Name: tenant_id 3.2 Token Claim Name: tenant_id 3.3 Claim Value: OpenTalkDefaultTenant 3.4 save
  4. Navigate to the Clients section of your realm and select your OtFrontend.
  5. Click Add client scope and select the newly added tenancy scope as Default.

The new ID should have been added by default in the backend. You can verify this with the k3k-controller tenants command: docker exec -it 123abcde /controller/k3k-controller tenants list.
It should return something like:

 id                                   | oidc_id
--------------------------------------+-----------------------
 c9677f8c-1234-1234-1234-12348b5b4bfd | OpenTalkDefaultTenant

This command can also set a new id using set-oidc-id, but this would bring the users assigned tenand_id out of sync if it already exists. Make sure that the id equals the result of select tenant_id from users; in the database k3k.

#opentalk #keycloak #openid

Signature (thanks for reading):
Follow me on Mastdodon

]]> https://text.tchncs.de/milan/opentalk-multi-tenancy Wed, 05 Apr 2023 17:08:47 +0000