<div dir="ltr">yes the application itself needs to handle multiple realms at once. We are going with a shared application multi tenancy model.<div><br></div><div>Basically the flow I had in mind was:</div><div><br></div><div>
Tenant Registration Process</div><div>
Each tenant will get their own url</div><div>When a new tenant signs up, they can specify their url. </div><div>We would then create the realm for the client in Keycloak (via API calls) and associate the realm id to the url (either in keycloak or our application)</div>
<div><br></div><div>Login process for users of the tenant</div><div>When a user logs in via their tenant specific url, we will intercept that request in a filter and using the Authorization header grab the token and accordingly handle the authorization. If user has not logged in, we will redirect to keycloak for authentication</div>
<div><br></div><div>I had a look at your thoughts on how to do this with Aerogear. If I understand the concept correctly, with the <span style="color:rgb(0,0,0)">UPS + Keycloak in one bundle option, we have to update the jboss wildfly config on the fly whenever we get new tenants. I did not think of this option and not sure if this could be done with wildfly without having to restart wildfly, but even if that is possible, that means we are going to have a large list of wildfly adapter profiles and I don't think that is practical. Just think even if we get 200 tenants, this is going to make it very complicated. Also I think the concept is one war per realm so this might not even be possible for a single application multi tenant model.</span></div>
<div><span style="color:rgb(0,0,0)"><br></span></div><div><font color="#000000">I think the ideal would be to have one wildfly adapter config per Keycloak instance. (i.e. don't go to the realm level) If you want to keep the existing and also cater to what I am suggesting, then some wildcard method to config would do.</font></div>
<div><font color="#000000"><br></font></div><div><font color="#000000">Having said that, now I am wondering if by using the Per war configuration (and not using the wildfly adapter) if I could achieve what I want since from the keycloak docs, it looks like you can configure keycloak per war without specifying any realm specific settings. (at least for now the realm-name element is supposed to be ignored.)</font></div>
<div><font color="#000000"><br></font></div><div><font color="#000000">Not sure if I have complicated this further or if this is doable. But if we can plug in multi tenancy that would be a massive win for Keycloak considering that everything is now moving to the cloud.</font></div>
<div><br></div><div><font color="#000000"><br></font></div><div><br></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 24, 2014 at 12:18 AM, Bill Burke <span dir="ltr"><<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br>
<br>
On 2/23/2014 8:08 AM, Bill Burke wrote:<br>
><br>
><br>
> On 2/22/2014 10:46 PM, Travis De Silva wrote:<br>
>> I just read the discussions on KEYCLOAK-292 on the developer mailing<br>
>> list.<br>
>> <a href="http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001378.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001378.html</a><br>
>><br>
>> The concept of creating an application under the keycloak-admin realm<br>
>> for each realm created looks interesting.<br>
>><br>
>> When it comes to multi tenancy, I think the issue is around the<br>
>> application installation process. If there is a way where we don't have<br>
>> to provide individual application level keycloak.json's or WildFly/JBoss<br>
>> subsystem XML's, then we are getting closer to multi tenancy. I am<br>
>> thinking can this be done at a keycloak top level or the ability to use<br>
>> wildcards for the resource elements in the json.<br>
>><br>
><br>
> The application itself needs to be able to handle multiple realms at<br>
> once? How would you choose which realm to belong to when initiating a<br>
> login? Can you elaborate a bit more on what the flow would look like<br>
> (what you want) when interacting with your applications?<br>
><br>
> Aerogear UPS might be in a similar position as you too, so this is<br>
> something I'd like to solve sooner rather than later.<br>
<br>
</div>Please respond to above, but this was some of my thoughts with Aerogear<br>
which may be related:<br>
<br>
<a href="http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001292.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001292.html</a><br>
<div><div><br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br></div></div>