@cdmbase/wiki-browser 12.0.18-alpha.5

package/lib/templates/content/docs/adminide-modules/project-tools/tenant-management/tenant-based-authentication.md

@@ -0,0 +1,846 @@
+@@ -0,0 +1,860 @@
+
+# Tenant Authentication System - Technical Guide
+
+## Overview
+
+This document provides a **technical deep-dive** into how tenant authentication works in the system, specifically focusing on the `cachedTenantInfoMiddleware`.
+
+**Location:** `packages-modules/user-auth0/server/src/modules/user-tenants/middleware/cached-tenant-info.middleware.ts`
+
+---
+
+## Table of Contents
+
+1. [Authentication Flow](#authentication-flow)
+2. [Middleware Implementation](#middleware-implementation)
+3. [Keycloak Validation](#keycloak-validation)
+4. [Request Headers](#request-headers)
+5. [Error Handling](#error-handling)
+6. [Security Considerations](#security-considerations)
+7. [Integration Guide](#integration-guide)
+8. [Testing & Debugging](#testing--debugging)
+
+---
+
+## Authentication Flow
+
+### High-Level Flow Diagram
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│                        CLIENT APPLICATION                           │
+└───────────────────────────────┬─────────────────────────────────────┘
+                                │
+                                │ 1. HTTP Request with Headers:
+                                │    x-tenant-id: {tenantId}
+                                │    x-tenant-key: base64(clientId:secret)
+                                │
+                                ▼
+┌─────────────────────────────────────────────────────────────────────┐
+│                   CACHED TENANT INFO MIDDLEWARE                     │
+│                                                                     │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │ STEP 1: Extract Headers                                      │ │
+│  │  - Read x-tenant-id                                          │ │
+│  │  - Read x-tenant-key                                         │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+│                                │                                    │
+│                                ▼                                    │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │ STEP 2: Lookup Tenant in MongoDB                            │ │
+│  │  - Connect to database                                       │ │
+│  │  - Find tenant by MongoDB _id (tenantId from header)        │ │
+│  │  - Retrieve tenant data with clientConfigurations           │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+│                                │                                    │
+│                                ▼                                    │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │ STEP 3: Decode Credentials                                   │ │
+│  │  - Base64 decode x-tenant-key                                │ │
+│  │  - Split into clientId:clientSecret                          │ │
+│  │  - Validate format                                           │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+│                                │                                    │
+│                                ▼                                    │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │ STEP 4: Match Client Configuration                           │ │
+│  │  - Find clientConfig with matching clientId                  │ │
+│  │  - Ensure client belongs to this tenant                      │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+│                                │                                    │
+│                                ▼                                    │
+│  ┌──────────────────────────────────────────────────────────────┐ │
+│  │ STEP 5: Validate with Keycloak                               │ │
+│  │  - Call keycloakAdminService.verifyClientCredentials()       │ │
+│  │  - Verify clientId and clientSecret are valid                │ │
+│  │  - Check client is enabled                                   │ │
+│  └──────────────────────────────────────────────────────────────┘ │
+│                                │                                    │
+└────────────────────────────────┼────────────────────────────────────┘
+                                 │
+                    ┌────────────┴─────────────┐
+                    │                          │
+                    ▼                          ▼
+        ┌──────────────────┐      ┌──────────────────────┐
+        │   ✅ SUCCESS     │      │   ❌ FAILURE         │
+        │                  │      │                      │
+        │ - Set req.tenant │      │ - Return 401 Error   │
+        │ - Call next()    │      │ - Block request      │
+        └──────────────────┘      └──────────────────────┘
+                    │
+                    ▼
+        ┌──────────────────────┐
+        │   APPLICATION        │
+        │   ROUTE HANDLER      │
+        │                      │
+        │ - Access req.tenant  │
+        │ - Process request    │
+        └──────────────────────┘
+```
+
+---
+
+## Middleware Implementation
+
+### Full Source Code with Annotations
+
+```typescript
+/* packages-modules/user-auth0/server/src/modules/user-tenants/middleware/cached-tenant-info.middleware.ts */
+
+import type { CustomRequest } from '@adminide-stack/auth0-server-core';
+import { NextFunction, Response } from 'express';
+import { IClientConfigurations, ITenantModel } from 'common/server';
+import { keycloakAdminService } from '@adminide-stack/auth0-server-core';
+import { model, connect } from 'mongoose';
+import { config } from '../../../config';
+import { TenantSchema } from '../store';
+
+/**
+ * Validate tenant credentials against Keycloak
+ *
+ * @param encodedCredentials - Base64 encoded "clientId:secret"
+ * @param tenantData - Tenant document from MongoDB
+ * @returns true if valid, false otherwise
+ */
+const validateTenantWithKeycloak = async (encodedCredentials: string, tenantData: ITenantModel): Promise<boolean> => {
+    try {
+        // 1. Decode Base64 credentials
+        const decodedCredentials = Buffer.from(encodedCredentials, 'base64').toString('utf-8');
+
+        // 2. Split into clientId and clientSecret
+        const [clientId, clientSecret] = decodedCredentials.split(':');
+
+        // 3. Validate credential format
+        if (!clientId || !clientSecret) {
+            return false; // Invalid format
+        }
+
+        // 4. Ensure tenant exists
+        if (!tenantData) {
+            return false;
+        }
+
+        // 5. Find matching client configuration in tenant
+        const clientConfig = (tenantData.clientConfigurations as unknown as IClientConfigurations[])?.find(
+            (config) => config.clientId === clientId,
+        );
+
+        if (!clientConfig) {
+            return false; // Client doesn't belong to this tenant
+        }
+
+        // 6. Verify credentials with Keycloak
+        const isValid = await keycloakAdminService.verifyClientCredentials(clientId, clientSecret);
+
+        return isValid.valid;
+    } catch (error) {
+        console.error('Error validating tenant with Keycloak:', error);
+        return false;
+    }
+};
+
+/**
+ * Middleware: Authenticate tenant using header-based credentials
+ *
+ * Workflow:
+ * 1. Extract x-tenant-id and x-tenant-key headers
+ * 2. Lookup tenant in MongoDB
+ * 3. Validate credentials with Keycloak
+ * 4. Attach tenant to req.tenant if valid
+ * 5. Call next() or return 401
+ */
+export const cachedTenantInfoMiddleware = async (req: CustomRequest, res: Response, next: NextFunction) => {
+    try {
+        // ============================================
+        // STEP 1: Extract Request Headers
+        // ============================================
+        const tenantId = req.headers['x-tenant-id'] as string;
+        const tenantKey = req.headers['x-tenant-key'] as string;
+
+        // Only process if both headers are present
+        if (tenantId && tenantKey) {
+            // ============================================
+            // STEP 2: Connect to MongoDB
+            // ============================================
+            const mongoUrl = config.MONGO_URL;
+            await connect(mongoUrl);
+
+            // ============================================
+            // STEP 3: Lookup Tenant by ID
+            // ============================================
+            const TenantModel = model('UserTenant', TenantSchema);
+            const tenantData = (await TenantModel.findById(tenantId).exec()) as ITenantModel;
+
+            // ============================================
+            // STEP 4: Validate with Keycloak
+            // ============================================
+            const isValid = await validateTenantWithKeycloak(tenantKey, tenantData);
+
+            // ============================================
+            // STEP 5: Handle Validation Result
+            // ============================================
+            if (!isValid) {
+                // ❌ Invalid credentials
+                return res.status(401).json({
+                    error: 'Unauthorized',
+                    message: 'Invalid tenant credentials',
+                });
+            }
+
+            // ✅ Valid credentials - attach tenant to request
+            if (tenantData) {
+                req.tenant = tenantData as ITenantModel;
+            }
+
+            return next(); // Continue to route handler
+        }
+
+        // ============================================
+        // STEP 6: No Headers - Continue Without Auth
+        // ============================================
+        // If no tenant headers, skip validation
+        // (Other auth methods may handle this)
+        return next();
+    } catch (error) {
+        // ============================================
+        // STEP 7: Handle Errors
+        // ============================================
+        console.error('Error in cached tenant middleware:', error);
+        return res.status(500).json({
+            error: 'Internal Server Error',
+            message: 'Failed to process tenant information',
+        });
+    }
+};
+```
+
+---
+
+## Keycloak Validation
+
+### `keycloakAdminService.verifyClientCredentials()`
+
+This method validates client credentials against Keycloak.
+
+**Implementation (Conceptual):**
+
+```typescript
+class KeycloakAdminService {
+    async verifyClientCredentials(clientId: string, clientSecret: string): Promise<{ valid: boolean }> {
+        try {
+            // 1. Get Keycloak admin client
+            const adminClient = await this.getAdminClient();
+
+            // 2. Find client by clientId
+            const client = await adminClient.clients.find({
+                clientId: clientId,
+                realm: this.config.KEYCLOAK_REALM,
+            });
+
+            if (!client || client.length === 0) {
+                return { valid: false };
+            }
+
+            // 3. Get client secret from Keycloak
+            const secretData = await adminClient.clients.getClientSecret({
+                id: client[0].id,
+                realm: this.config.KEYCLOAK_REALM,
+            });
+
+            // 4. Compare secrets
+            const isValid = secretData.value === clientSecret;
+
+            // 5. Check if client is enabled
+            const isEnabled = client[0].enabled === true;
+
+            return { valid: isValid && isEnabled };
+        } catch (error) {
+            console.error('Keycloak validation error:', error);
+            return { valid: false };
+        }
+    }
+}
+```
+
+**What it checks:**
+
+- ✅ Client exists in Keycloak
+- ✅ ClientId matches
+- ✅ ClientSecret matches
+- ✅ Client is enabled (not disabled)
+- ✅ Client is in correct realm
+
+---
+
+## Request Headers
+
+### Required Headers
+
+| Header Name    | Type   | Format                          | Description                                          |
+| -------------- | ------ | ------------------------------- | ---------------------------------------------------- |
+| `x-tenant-id`  | String | MongoDB ObjectId (24 hex chars) | Identifies the tenant (MongoDB `_id`)                |
+| `x-tenant-key` | String | Base64 encoded                  | Encoded credentials: `base64(clientId:clientSecret)` |
+
+### Header Format Examples
+
+**Valid `x-tenant-id`:**
+
+```
+64f3a1b2c9d8e7f6a5b4c3d2
+```
+
+**Valid `x-tenant-key`:**
+
+```bash
+# Original credentials
+clientId: "abc123-def456-ghi789"
+clientSecret: "mySecret123ABC"
+
+# Encoded format
+echo -n "abc123-def456-ghi789:mySecret123ABC" | base64
+# Output: YWJjMTIzLWRlZjQ1Ni1naGk3ODk6bXlTZWNyZXQxMjNBQkM=
+
+# Header value
+x-tenant-key: YWJjMTIzLWRlZjQ1Ni1naGk3ODk6bXlTZWNyZXQxMjNBQkM=
+```
+
+### Complete HTTP Request Example
+
+```http
+POST /graphql HTTP/1.1
+Host: api.yourapp.com
+Content-Type: application/json
+x-tenant-id: 64f3a1b2c9d8e7f6a5b4c3d2
+x-tenant-key: YWJjMTIzLWRlZjQ1Ni1naGk3ODk6bXlTZWNyZXQxMjNBQkM=
+
+{
+  "query": "query { myData { id name } }"
+}
+```
+
+---
+
+## Error Handling
+
+### Error Scenarios and Responses
+
+#### 1. Missing Headers
+
+**Condition:** No `x-tenant-id` or `x-tenant-key` provided
+
+**Behavior:** Middleware passes through (no error)
+
+**Reason:** Other authentication methods may handle the request
+
+**Code Path:**
+
+```typescript
+if (tenantId && tenantKey) {
+    // Validation logic
+} else {
+    return next(); // ← Pass through
+}
+```
+
+#### 2. Invalid Tenant ID
+
+**Condition:** Tenant not found in MongoDB
+
+**Response:**
+
+```json
+{
+    "error": "Unauthorized",
+    "message": "Invalid tenant credentials"
+}
+```
+
+**HTTP Status:** `401 Unauthorized`
+
+**Reason:** `tenantData` is null/undefined
+
+#### 3. Malformed Credentials
+
+**Condition:** `x-tenant-key` not in `clientId:secret` format
+
+**Response:**
+
+```json
+{
+    "error": "Unauthorized",
+    "message": "Invalid tenant credentials"
+}
+```
+
+**HTTP Status:** `401 Unauthorized`
+
+**Triggered by:**
+
+```typescript
+const [clientId, clientSecret] = decodedCredentials.split(':');
+if (!clientId || !clientSecret) {
+    return false; // ← Validation fails
+}
+```
+
+#### 4. Client Not in Tenant
+
+**Condition:** `clientId` doesn't match any client in tenant's `clientConfigurations`
+
+**Response:**
+
+```json
+{
+    "error": "Unauthorized",
+    "message": "Invalid tenant credentials"
+}
+```
+
+**HTTP Status:** `401 Unauthorized`
+
+**Reason:** Prevents using valid Keycloak client for wrong tenant
+
+#### 5. Invalid Keycloak Credentials
+
+**Condition:** Client exists but secret is wrong
+
+**Response:**
+
+```json
+{
+    "error": "Unauthorized",
+    "message": "Invalid tenant credentials"
+}
+```
+
+**HTTP Status:** `401 Unauthorized`
+
+**Keycloak Check:**
+
+```typescript
+const isValid = await keycloakAdminService.verifyClientCredentials(clientId, clientSecret);
+
+if (!isValid.valid) {
+    return false; // ← Validation fails
+}
+```
+
+#### 6. System Error
+
+**Condition:** Database connection fails, Keycloak unreachable, etc.
+
+**Response:**
+
+```json
+{
+    "error": "Internal Server Error",
+    "message": "Failed to process tenant information"
+}
+```
+
+**HTTP Status:** `500 Internal Server Error`
+
+**Triggered by:** Exception in try/catch block
+
+---
+
+## Security Considerations
+
+### 🔒 Security Features
+
+1. **Multi-Layer Validation**
+    - Database lookup (tenant exists)
+    - Client ownership check (client belongs to tenant)
+    - Keycloak verification (credentials valid)
+
+2. **No Secret Storage**
+    - Secrets not stored in MongoDB
+    - Always validated against Keycloak (source of truth)
+    - Regenerated deterministically when needed
+
+3. **Base64 Encoding**
+    - Credentials encoded in transit
+    - Not encrypted (use HTTPS!)
+    - Prevents accidental logging
+
+4. **Tenant Isolation**
+    - Client must belong to tenant's `clientConfigurations`
+    - Prevents cross-tenant credential reuse
+
+### ⚠️ Security Best Practices
+
+#### DO ✅
+
+- Always use **HTTPS** in production
+- Rotate client secrets regularly
+- Log authentication failures for monitoring
+- Rate-limit authentication attempts
+- Use separate clients per service/environment
+
+#### DON'T ❌
+
+- Never expose credentials in frontend code
+- Don't hardcode credentials in source code
+- Don't share credentials between environments
+- Don't disable HTTPS "for testing"
+- Don't log decoded credentials
+
+### 🛡️ Attack Mitigation
+
+| Attack Type             | Mitigation                               |
+| ----------------------- | ---------------------------------------- |
+| **Credential Stuffing** | Rate limiting, Keycloak lockout policies |
+| **MITM**                | HTTPS enforcement                        |
+| **Replay Attacks**      | Short-lived tokens (if implemented)      |
+| **Cross-Tenant Access** | Client ownership validation              |
+| **SQL Injection**       | Mongoose parameterization                |
+| **Brute Force**         | Keycloak client lockout                  |
+
+---
+
+## Integration Guide
+
+### Adding Middleware to Express App
+
+```typescript
+import express from 'express';
+import { cachedTenantInfoMiddleware } from './middleware/cached-tenant-info.middleware';
+
+const app = express();
+
+// Apply globally to all routes
+app.use(cachedTenantInfoMiddleware);
+
+// Apply to specific routes
+app.use('/api/protected', cachedTenantInfoMiddleware, (req, res) => {
+    // Access tenant data
+    if (req.tenant) {
+        res.json({
+            message: `Welcome, ${req.tenant.name}`,
+            tenantId: req.tenant.tenantId,
+        });
+    } else {
+        res.status(401).json({ error: 'No tenant authenticated' });
+    }
+});
+
+app.listen(3000);
+```
+
+### Accessing Tenant in Route Handlers
+
+```typescript
+import { CustomRequest } from '@adminide-stack/auth0-server-core';
+import { Response } from 'express';
+
+app.get('/api/data', cachedTenantInfoMiddleware, async (req: CustomRequest, res: Response) => {
+    // Tenant is available in req.tenant
+    const tenant = req.tenant;
+
+    if (!tenant) {
+        return res.status(401).json({ error: 'Tenant required' });
+    }
+
+    // Use tenant data
+    console.log(`Request from tenant: ${tenant.name}`);
+    console.log(`Tenant ID: ${tenant.tenantId}`);
+    console.log(`Organization: ${tenant.organization}`);
+
+    // Query data scoped to tenant
+    const data = await DataModel.find({
+        tenantId: tenant.tenantId,
+    });
+
+    res.json({ data });
+});
+```
+
+### GraphQL Context Integration
+
+```typescript
+import { ApolloServer } from 'apollo-server-express';
+import { CustomRequest } from '@adminide-stack/auth0-server-core';
+
+const server = new ApolloServer({
+    typeDefs,
+    resolvers,
+    context: ({ req }: { req: CustomRequest }) => ({
+        // Tenant attached by middleware
+        tenant: req.tenant,
+        tenantId: req.tenant?.tenantId,
+        tenantName: req.tenant?.name,
+    }),
+});
+
+// In resolvers
+const resolvers = {
+    Query: {
+        myData: async (_, __, { tenant }) => {
+            if (!tenant) {
+                throw new Error('Tenant authentication required');
+            }
+
+            return DataModel.find({
+                tenantId: tenant.tenantId,
+            });
+        },
+    },
+};
+```
+
+---
+
+## Testing & Debugging
+
+### Manual Testing with cURL
+
+```bash
+#!/bin/bash
+
+# Configuration
+TENANT_ID="64f3a1b2c9d8e7f6a5b4c3d2"
+CLIENT_ID="your-keycloak-client-id"
+CLIENT_SECRET="your-client-secret"
+
+# Encode credentials
+TENANT_KEY=$(echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64)
+
+# Make request
+curl -X POST https://api.yourapp.com/graphql \
+  -H "Content-Type: application/json" \
+  -H "x-tenant-id: ${TENANT_ID}" \
+  -H "x-tenant-key: ${TENANT_KEY}" \
+  -d '{
+    "query": "query { tenant(id: \"'${TENANT_ID}'\") { id name } }"
+  }' \
+  -v  # Verbose output for debugging
+```
+
+### Automated Tests
+
+```typescript
+import request from 'supertest';
+import app from '../app';
+
+describe('Tenant Authentication Middleware', () => {
+    const validTenantId = '64f3a1b2c9d8e7f6a5b4c3d2';
+    const validClientId = 'test-client-id';
+    const validClientSecret = 'test-client-secret';
+
+    const encodeCredentials = (clientId: string, secret: string) => {
+        return Buffer.from(`${clientId}:${secret}`).toString('base64');
+    };
+
+    it('should authenticate valid tenant credentials', async () => {
+        const response = await request(app)
+            .post('/api/protected')
+            .set('x-tenant-id', validTenantId)
+            .set('x-tenant-key', encodeCredentials(validClientId, validClientSecret))
+            .expect(200);
+
+        expect(response.body.tenant).toBeDefined();
+    });
+
+    it('should reject invalid tenant ID', async () => {
+        await request(app)
+            .post('/api/protected')
+            .set('x-tenant-id', 'invalid-id')
+            .set('x-tenant-key', encodeCredentials(validClientId, validClientSecret))
+            .expect(401);
+    });
+
+    it('should reject invalid credentials', async () => {
+        await request(app)
+            .post('/api/protected')
+            .set('x-tenant-id', validTenantId)
+            .set('x-tenant-key', encodeCredentials(validClientId, 'wrong-secret'))
+            .expect(401);
+    });
+
+    it('should pass through when no headers provided', async () => {
+        await request(app).post('/api/public').expect(200); // Or whatever your public route returns
+    });
+});
+```
+
+### Debugging Checklist
+
+When authentication fails, check:
+
+1. **Headers Present?**
+
+    ```bash
+    # Check request headers
+    curl -v ... | grep "x-tenant"
+    ```
+
+2. **Valid Base64?**
+
+    ```bash
+    # Decode and inspect
+    echo "YWJjOmRlZg==" | base64 -d
+    # Should output: "abc:def"
+    ```
+
+3. **Tenant Exists?**
+
+    ```javascript
+    // Check MongoDB
+    db.UserTenant.findById('64f3a1b2c9d8e7f6a5b4c3d2');
+    ```
+
+4. **Client in Tenant?**
+
+    ```javascript
+    // Check clientConfigurations
+    db.UserTenant.findOne({ _id: '64f3a1b2c9d8e7f6a5b4c3d2' }, { clientConfigurations: 1 });
+    ```
+
+5. **Keycloak Client Valid?**
+
+    ```bash
+    # Check Keycloak admin console
+    # Realm > Clients > Search for clientId
+    ```
+
+6. **Keycloak Reachable?**
+    ```bash
+    curl https://keycloak.yourapp.com/health
+    ```
+
+### Logging for Debugging
+
+Add detailed logging to middleware:
+
+```typescript
+const validateTenantWithKeycloak = async (encodedCredentials: string, tenantData: ITenantModel): Promise<boolean> => {
+    try {
+        console.log('[AUTH] Starting validation');
+
+        const decodedCredentials = Buffer.from(encodedCredentials, 'base64').toString('utf-8');
+
+        console.log('[AUTH] Decoded credentials format:', decodedCredentials.includes(':') ? 'valid' : 'invalid');
+
+        const [clientId, clientSecret] = decodedCredentials.split(':');
+        console.log('[AUTH] ClientId:', clientId ? 'present' : 'missing');
+        console.log('[AUTH] ClientSecret:', clientSecret ? 'present' : 'missing');
+
+        if (!clientId || !clientSecret) {
+            console.log('[AUTH] Invalid credential format');
+            return false;
+        }
+
+        const clientConfig = (tenantData.clientConfigurations as unknown as IClientConfigurations[])?.find(
+            (config) => config.clientId === clientId,
+        );
+
+        console.log('[AUTH] Client found in tenant:', !!clientConfig);
+
+        if (!clientConfig) {
+            console.log('[AUTH] Client not in tenant configurations');
+            return false;
+        }
+
+        console.log('[AUTH] Verifying with Keycloak...');
+        const isValid = await keycloakAdminService.verifyClientCredentials(clientId, clientSecret);
+
+        console.log('[AUTH] Keycloak validation result:', isValid.valid);
+
+        return isValid.valid;
+    } catch (error) {
+        console.error('[AUTH] Validation error:', error);
+        return false;
+    }
+};
+```
+
+---
+
+## Performance Considerations
+
+### Database Connection Pooling
+
+**Current Implementation:**
+
+```typescript
+await connect(mongoUrl); // Creates new connection each time
+```
+
+**Recommended Optimization:**
+
+```typescript
+// Create connection pool at startup
+let connection: Connection;
+
+export const getConnection = async () => {
+    if (!connection) {
+        connection = await connect(mongoUrl, {
+            maxPoolSize: 10,
+            minPoolSize: 2,
+        });
+    }
+    return connection;
+};
+
+// Use in middleware
+const connection = await getConnection();
+const TenantModel = connection.model('UserTenant', TenantSchema);
+```
+
+### Caching Tenant Data
+
+Consider adding Redis cache:
+
+```typescript
+import { Redis } from 'ioredis';
+
+const redis = new Redis();
+
+const getCachedTenant = async (tenantId: string): Promise<ITenantModel | null> => {
+    // Try cache first
+    const cached = await redis.get(`tenant:${tenantId}`);
+    if (cached) {
+        return JSON.parse(cached);
+    }
+
+    // Fallback to database
+    const tenant = await TenantModel.findById(tenantId);
+    if (tenant) {
+        // Cache for 5 minutes
+        await redis.setex(`tenant:${tenantId}`, 300, JSON.stringify(tenant));
+    }
+
+    return tenant;
+};
+```
+
+---
+
+## Related Documentation
+
+- [Complete Setup Guide](./TENANT_SETUP_GUIDE.md) - End-user documentation
+- [Project & Vault Setup](./PROJECT_VAULT_SETUP.md) - Project configuration
+- [Keycloak Documentation](https://www.keycloak.org/docs/latest/) - External reference
+
+---