This is an example project to demonstrate some issue when using Keycloak's Policy-Enforcers in a multi-tenant configuration.

It seems that Keycloak Spring-Boot adapter's policy-enforcer, used in a multi-tenant architecture, causes some requests to randomly respond with a 403 error code.

It is unclear at the moment what is the root cause of this but from what I understand so far, this could be due to some "shared" object having the policy-enforcer URL in the Spring context.

If two requests, for distinct realms, happen at the same time, there's a slight chance for one request to impact the other and having one of the request to call Keycloak policy-enforcer check on the wrong realm which result in a DENIED response from Keycloak and a 403 response from Spring.

This will create a Keycloak with 2 realms: rayman & globox. It is exposed on port 8081.

Each realm look exactly the same, they both have a bar client configured with policy-enforcers on the route /api/v1/foo/*.

docker-compose up

The Spring-Boot application is exposed under port 8080.

It exposes two APIs:

• GET /api/v1/foo. This one is protected using Keycloak policy-enforcer configuration.
• GET /api/v1/bar. This one is not protected at all in order to compare.

./mvnw spring-boot:run -Dspring-boot.run.arguments=--logging.level.org.keycloak=TRACE

In order to test, you need to create a user in both realms and assign him the realm role ROLE_TEST.

After doing that, you need to run the script once for each realm. Open two terminal windows and execute the following commands. You should notice that with 1 script running you always get a 200 response code and then when you run the script against the second realms, you'll notice 403 errors happening randomly on each realm.

# Create users
./create-test-users.sh

# Execute the test (should be executed at the same time using different terminal windows)
python3 ./keycloak-test.py -keycloak_endpoint 'http://localhost:8081' -realm rayman -client_id bar -client_secret '03daa338-740e-42e8-8166-3db2b4848d4d' -username test -password test -service_endpoint 'http://localhost:8080/api/v1/foo'
python3 ./keycloak-test.py -keycloak_endpoint 'http://localhost:8081' -realm globox -client_id bar -client_secret '0cfa413d-63d1-4787-a9f5-0b5ac76540ec' -username test -password test -service_endpoint 'http://localhost:8080/api/v1/foo'