[keycloak-user] One client application, users in many organizations

Stian Thorgersen sthorger at redhat.com
Fri Jul 15 01:32:13 EDT 2016 

On 14 July 2016 at 18:41, Aikeaguinea <aikeaguinea at xsmail.com> wrote:

> Thanks very much Stian. It sounds like the best approach for us would be
> to have one realm per organization and to share clients across them. One
> realm per organization sounds like the use case for realms, and practically
> speaking it not only lets us do bulk operations on all users within a
> realm, but it also lets us have different combinations of clients for
> different organizations.
>

One realm per organization is not directly the use case for realms. Realms
are for when you want isolated config and users. In your case there are
other things than clients you need to deal with as well. Realm settings,
etc.. It's up to you if you want that isolation per-organization or not.


>
> A few more questions, if I may:
>
> Is the example of multi tenancy you mention this one:
> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant ?
>

Yes


>
> In that example there are multiple .json files, one for each tenant, and
> you mention doing the same thing with the admin API.
> The API call for creating a new client is a POST to
> /admin/realms/{realm}/clients . Does doing two POST calls with the same
> client ID to two different realms create the same client in both realms?
>

You don't need multiple json files. You can create the configuration
programatically as well based on a single json file by just swapping the
realm name for the organization name for example.

Just remove the public key from the json file (as the adapter will download
it from Keycloak if you don't specify it) and make sure the client-id and
secret are the same.


>
> Can the same thing be achieved by creating the realms in the admin console
> and then creating the client with that ID within the realms?
>

Admin console doesn't directly let you specify secret. If you import the
client from a json file in the admin console then you can specify the
secret.


>
> If I create a client with client ID myapp in Realm 1, and then I go into
> Realm 2 and create a client with the same ID, will they automatically share
> the same client secret?
>

No, there is total isolation between realms.


>
> Also, if I'm in the admin console for Realm 1 and I look at the sessions
> for client myapp, I imagine I see only the sessions pertaining to users
> within the realm. Is that right?
>

Yes


>
> Thanks for the help. I'll create a JIRA for search by group because it
> would be useful in any event.
>
>
> On Thu, Jul 14, 2016, at 03:40 AM, Stian Thorgersen wrote:
>
>
>
> On 13 July 2016 at 21:53, Aikeaguinea <aikeaguinea at xsmail.com> wrote:
>
> We have a client web application which accepts requests from users in
> many different unrelated organizations. Two approaches I see are 1) to
> create a realm per organization, or 2) create a single realm with our
> application as client, and assign users to different groups based on
> their organization.
>
> If we go with approach 1, I'm not sure how we'd handle the client ID and
> secret for our web app. If we had multiple realms in Keycloak, each with
> one client for our web application, somehow the web application would
> need to know which Keycloak client to use for which user, which sounds
> complicated and maybe untenable. On the other hand, clients can't span
> realms, can they?
>
>
> Guess that depends on how many clients you are talking about. FIY we have
> a multi tenancy example that shows how you can have multiple configs for
> the same app.
>
>
>
> If we go with 2, one complication is administration--e.g., bulk logout.
> If all the users are in the same realm, it doesn't appear to me that
> there's a way in the admin console to logout all sessions of users
> belonging to one group, or to disable all users belonging to a group. Is
> that right?
>
>
> There's no option to do that yet, but we want to add support for bulk
> updates to users in the future. See
> https://issues.jboss.org/browse/KEYCLOAK-1413
>
>
>
> It also doesn't look straightforward to get from the API all the users
> for a given group--you can get the groups a user is in, but I don't see
> a call that does the inverse. Is there a way we could do this?
>
>
> True - we don't support search by group. You can create a JIRA request for
> that.
>
>
>
> Or is there an entirely different approach I'm not thinking of?
>
>
> Not without a lot of customization. However, we do provide several SPIs
> that allow you to customize Keycloak to accommodate your needs.
>
> For example for option 1 you can use admin api to create clients which
> would allow you to create the client in all realms.
>
> For option 2 you could add a custom realm resource that allows logout or
> disabling all users with a specific group.
>
>
>
> --
> Aikeaguinea
> aikeaguinea at xsmail.com
>
> --
> http://www.fastmail.com - Accessible with your email software
> or over the web
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> --
>   Aikeaguinea
>   aikeaguinea at xsmail.com
>
>
>
> -- http://www.fastmail.com - A fast, anti-spam email service.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160715/88b4b3e6/attachment-0001.html

More information about the keycloak-user mailing list