[keycloak-user] One client application, users in many organizations

Stian Thorgersen sthorger at redhat.com
Thu Jul 14 03:40:54 EDT 2016

On 13 July 2016 at 21:53, Aikeaguinea <aikeaguinea at xsmail.com> wrote:

> We have a client web application which accepts requests from users in
> many different unrelated organizations. Two approaches I see are 1) to
> create a realm per organization, or 2) create a single realm with our
> application as client, and assign users to different groups based on
> their organization.
> If we go with approach 1, I'm not sure how we'd handle the client ID and
> secret for our web app. If we had multiple realms in Keycloak, each with
> one client for our web application, somehow the web application would
> need to know which Keycloak client to use for which user, which sounds
> complicated and maybe untenable. On the other hand, clients can't span
> realms, can they?

Guess that depends on how many clients you are talking about. FIY we have a
multi tenancy example that shows how you can have multiple configs for the
same app.

> If we go with 2, one complication is administration--e.g., bulk logout.
> If all the users are in the same realm, it doesn't appear to me that
> there's a way in the admin console to logout all sessions of users
> belonging to one group, or to disable all users belonging to a group. Is
> that right?

There's no option to do that yet, but we want to add support for bulk
updates to users in the future. See

> It also doesn't look straightforward to get from the API all the users
> for a given group--you can get the groups a user is in, but I don't see
> a call that does the inverse. Is there a way we could do this?

True - we don't support search by group. You can create a JIRA request for

> Or is there an entirely different approach I'm not thinking of?

Not without a lot of customization. However, we do provide several SPIs
that allow you to customize Keycloak to accommodate your needs.

For example for option 1 you can use admin api to create clients which
would allow you to create the client in all realms.

For option 2 you could add a custom realm resource that allows logout or
disabling all users with a specific group.

> --
>   Aikeaguinea
>   aikeaguinea at xsmail.com
> --
> http://www.fastmail.com - Accessible with your email software
>                           or over the web
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160714/40929617/attachment.html 

More information about the keycloak-user mailing list