[keycloak-user] Spring Boot with multiple Keycloak instances

Sebastien Blanc sblanc at redhat.com
Mon Mar 5 10:49:56 EST 2018 

On Mon, Mar 5, 2018 at 4:25 PM, Cedric Thiebault <
cedric.thiebault at sensefly.com> wrote:

> Thanks Sebastien!
>
>
> Multi-tenancy config implies that secured resources have different paths
> depending on which keycloak should be used.
>

That particular example just uses the path as discriminator but you can use
anything to pickup the right config file. Imagine a custom header that the
clients add to the request :

public KeycloakDeployment resolve(HttpFacade.Request request) {
    if(request.getHeader("my-custom-header").equals("customer")) {
        KeycloakDeployment deployment = cache.get(realm);
        if (null == deployment) {
            InputStream is =
getClass().getResourceAsStream("/customer-keycloak.json");
            return KeycloakDeploymentBuilder.build(is);
        }
    }
    else {
        InputStream is =
getClass().getResourceAsStream("/employee-keycloak.json");
        return KeycloakDeploymentBuilder.build(is);
    }
}


> But let's imagine I have a user-service (bearer-only) with secured
> resource */users/{user-id}*.
>
> This resource is used by:
>
> - internal apps (user is authenticated by keycloak for employee)
>
> - customer portal (user is authenticated by keycloak for customers)
>
>
> I don't see how I can configure user-service to iterate over available
> Keycloak...
>
>
> Should I duplicate authentication filters in org.keycloak.adapters.
> springsecurity.config.KeycloakWebSecurityConfigurerAdapter#configure
>
> .addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
> .addFilterBefore(keycloakAuthenticationProcessingFilter(), BasicAuthenticationFilter.class)
> .addFilterBefore(keycloakAuthenticatedActionsFilter(), BasicAuthenticationFilter.class)
> .addFilterAfter(keycloakSecurityContextRequestFilter(), SecurityContextHolderAwareRequestFilter.class)
>
>
> Not sure I understand what you to achieve here.

> I hope I'm clear enough :-/
>
>
> Thanks for your help!
>
>
> Cedric
>
>
> ------------------------------
> *From:* Sebastien Blanc <sblanc at redhat.com>
> *Sent:* Friday, March 2, 2018 9:48:57 AM
> *To:* Cedric Thiebault
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Spring Boot with multiple Keycloak
> instances
>
> Hi Cedric,
>
> You mention "keycloak.json" so I assume you are using the Spring Security
> Adapter ? If this is the case we don't' have an out of the box solution but
> you can solve it by implementing your own KeycloakConfigResolver , take a
> look here http://www.keycloak.org/docs/latest/securing_apps/index.
> html#_multi_tenancy then in your Spring Boot app declare a bean to point
> to the new config resolver like :
>
> @Bean
>     public KeycloakConfigResolver KeycloakConfigResolver() {
>         return new MyCustomConfigResolver();
>     }
>
> If you are using Spring Boot adapter "standalone" with the config in the
> properties file, then we don't support multitenancy yet but we are working
> on a solution.
>
> On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault <
> cedric.thiebault at sensefly.com> wrote:
>
> Hello,
>
> We are developing a REST API (Spring Boot micro-services) secured by
> Keycloak.
>
> We would like to use 2 different Keycloak instances:
> - one for employees linked to our Active Directory
> - one for our customers
> The idea is to isolate environments to reduce the impact on customer side
> when modifying internal services...
>
> Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks
> guys!). But I don't see in documentation how use 2 Keycloak instances as we
> always refer to a single keycloak.json.
>
> Is securing a Spring Boot app with 2 different Keycloak instances possible?
>
> Thanks for your help!
>
> Cedric
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list