From ea82a6710c3ed7c3da60404c880ed5eae78af43b Mon Sep 17 00:00:00 2001 From: Stefan Henke Date: Mon, 30 Mar 2026 14:44:07 +0200 Subject: [PATCH 1/2] Document tenant-specific IAS host injection in RequestContext Added instructions for injecting tenant-specific IAS host in background threads. --- guides/security/cap-users.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 599467b0e..e599f4e35 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1529,6 +1529,16 @@ Avoid iterating through all subscriber tenants to perform tenant-specific tasks. Instead, prefer a task-based approach which processes specific subscriber tenants selectively. ::: +When creating a new RequestContext in a background thread (without propagating an existing request), you must manually inject the tenant-specific IAS host to use IAS-based Remote Services. Unlike inherited request contexts that automatically carry authentication details, a fresh asynchronous request lacks the IAS host information required for remote service calls. The host can be retrieved from a `TenantInfo` object provided for example by the `TenantProviderService`. + +```java +TenantInto tenantInfo = ...; +String tenantHost = tenantInfo.get("subscriber").get("tenantHost"); +runtime.requestContext().systemUser(tenantId).modifyUser(user->user.setAdditionalAttribute("iss", tenantHost)).run((reqContext) -> { +… +}); +``` +
From a4c258595c68c612580520cf402c56925caef567 Mon Sep 17 00:00:00 2001 From: Stefan Henke Date: Thu, 2 Apr 2026 11:45:07 +0200 Subject: [PATCH 2/2] Update cap-users.md --- guides/security/cap-users.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index e599f4e35..82944422f 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1529,13 +1529,13 @@ Avoid iterating through all subscriber tenants to perform tenant-specific tasks. Instead, prefer a task-based approach which processes specific subscriber tenants selectively. ::: -When creating a new RequestContext in a background thread (without propagating an existing request), you must manually inject the tenant-specific IAS host to use IAS-based Remote Services. Unlike inherited request contexts that automatically carry authentication details, a fresh asynchronous request lacks the IAS host information required for remote service calls. The host can be retrieved from a `TenantInfo` object provided for example by the `TenantProviderService`. +To use IAS-based Remote Services in background executions, you must in addition manually inject the tenant-specific IAS host into the created Request Context. Unlike inherited request contexts that automatically carry authentication details, a fresh Request Context lacks the IAS host information required for remote service calls. The host can be retrieved from a `TenantInfo` object provided for example by the `TenantProviderService`. ```java TenantInto tenantInfo = ...; String tenantHost = tenantInfo.get("subscriber").get("tenantHost"); runtime.requestContext().systemUser(tenantId).modifyUser(user->user.setAdditionalAttribute("iss", tenantHost)).run((reqContext) -> { -… +… //call remote service }); ```