[keycloak-user] Multitenancy for WAR

Bill Burke bburke at redhat.com
Fri Sep 5 10:14:08 EDT 2014 

I think it would be 1 day work for me, as again, I already refactored 
the adapters to support this use case.  It would just be a matter of:

* Making AdatperDeploymentContext pluggable
* Writing an AdapterDeploymentContext which could accept a URI pattern 
to extract the name of the realm.

Once I have that in place, you guys can fork it and implement anything 
you want.  What I think I want to do, is keep this SPI private until 
users like you have testdrived it.

On 9/4/2014 7:17 PM, Travis De Silva wrote:
> Hi Bill,
>
> Sorry for missing your ping as this is something that we definitely
> need. I was going down the keycloak.js path (since we use AngularJS as
> our UI layer) but doing it on the server side is so much more elegant.
>
> Picking the realm name from the URI is the way to go. Maybe we have it
> as a query parameter rather than within the path as then it is less
> invasive for the war application.
>
> I don't understand the keycloak code base enough to comment on how we
> can deploy the new AdapterDeploymentContext but what if this feature is
> plugged into the current AdapterDeploymentContext and this is a feature
> of the core product?
>
> Also with regard to getting realm information from the server using a
> shared client secret, or public clients, another way to do this might be
> to provide an alternate way to pick the keycloak.json file by storing it
> outside the war in the file system and then based on the realm name in
> the uri, pick the corresponding keycloak.json file and run the
> KeycloakDeployment. We can name the the files as keycloak-{realmname}.json
>
> Note we can keep the current functionality where it can pick it from
> within the war but if the file is missing, currently its throwing an
> exception. Maybe before we throw the exception, we also check the file
> system as well.
>
> Then maybe we don't need to load this on request but can have a
> directory scanner and whenever a new file is added or removed, it will
> automatically pick it up. Sort of how the JBoss/Wildfly deployment
> scanner works. On each request of course it will need to pick the
> correct realm to perform the authentication.
>
> This might be more elegant but once again I don't know enough of the
> core keycloak code to comment if doing this is more complex than the
> other option.
>
> Obviously these changes will not go into 1.0 release but a subsequent
> release (hopefully the first beta release after 1.0 :)
>
> Therefore it might be good to give some thought and get this right. For
> me this and the multi-lingual are the two key items that we need to tick
> off to be able to use this in a multi tenancy environment.
>
> Keen to know your thoughts.
>
> Cheers
> Travis
>
>
>
>
> On Thu, Sep 4, 2014 at 11:15 PM, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>     Travis, I did do most of the work for this.  I think I pinged you to see
>     if you still wanted the feature, but never followed through.  I'm sorry.
>
>     All this would require a shared client secret, or public clients.  It
>     would require you to extract the realm name somehow based on the current
>     HTTP request.  Probably a URI pattern.
>
>     There is an AdapterDeploymentContext class.  This class has a method:
>
>     KeycloakDeployment resolveDeployment(HttpFacade)
>
>     This method get's called every request.  You would extend this class and
>     override resolveDeployment and create (and then cache) your
>     KeycloakDeployment based on the incoming HTTP request.
>
>     The only problem is that the current code has no way for you to plug in
>     a new implementation of the AdapterDeploymentContext.
>
>     On 9/4/2014 2:36 AM, Travis De Silva wrote:
>      > Hi Stian,
>      >
>      > You proposed solution would not cover the use case where we can
>     create
>      > tenants at runtime as the realm config in the keycloak.json would be
>      > hard coded into the war.
>      >
>      > I had discussed this identical use case a while ago on this forum and
>      > Bill was planning to refactor the adapters to support this use case.
>      > Unfortunately he got caught up in other tasks and was not able to
>      > proceed on this.
>      >
>      > The discussion thread is here
>      > http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html
>      >
>      > Basically what I believe Bill suggested which would meet this use
>     case
>      > is to:
>      >
>      >  1. Have a shared secret between clients for all realms.
>      >  2. The adapter would just extract the realm name from the request,
>      >     invoke on the keycloak server to get the public information about
>      >     the realm (i.e. public key) and then cache the information
>     locally.
>      >
>      > The key bit here is extracting the realm name from the request
>     and then
>      > pulling the realm info from the keycloak server.
>      >
>      > I had a look at the keycloak source code and I believe the magic
>     happens
>      > in the KeycloakServletExtension class under the
>      > org.keycloak.adapters.undertow package for my use case (since I
>     deploy
>      > it on wildfly)
>      >
>      > What I have got stumped is that this class gets loaded when my war is
>      > deployed and I am wondering how I can do it per request (if the
>     info is
>      > not already cached locally)
>      >
>      > Maybe with the imminent release of 1.0 (btw congrats for the
>     great work
>      > to everyone in the team and for Bill and your leadership), maybe we
>      > should start thinking about this multi tenancy use case to be
>     included
>      > in future releases.
>      >
>      > I believe that SaaS models are going to be popular and having this
>      > feature added will make keycloak a major player in this space.
>      >
>      > Cheers
>      > Travis
>      >
>      >
>      >
>      >
>      > _______________________________________________
>      > keycloak-user mailing list
>      > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list