Hi,
regarding multi-tenancy in keycloak, where each tenant maps to a realm, I wanted to ask for help on clarifying some key concepts in keycloak for aid in implementing a simple REST based identity management POC.
Imagine there is a requirement for a multi-tenant environment where user registration (=creation) , user login, user logout and knowing whether a user is still logged in or not must be done over some wrapper REST service which exposes the mentioned functionality to outside world.
With KeyCloak being deployed in a private network, I have written some wrapper REST service which does create users for a desired tenant (=realm), and this wrapper service itself calls KeyCloak's "Direct Grant API" from an OAuth Client with Super-User Credentials both defined in the "master" realm having sufficient privileges over all realms (as defined by the documentation in "Chapter 17. Admin REST API").
Now I want to be able to wrap the logging-in and logging-out process of a user into a tenant in the same way as user creation, which I don't know how to work around this scenario exactly
there are some different questions in my head, regarding the situation explained in my head which I wanted to ask :
- to be able to log a user in/out, through a wrapper rest service , which has been passed the user credential to and wants to use KeyCloak REST APIs, should I create an OAuth client per each realm and login/log out the user, using the related OAuth client in each realm ?
- Which REST API provides information on whether a specific user is already logged in or not on a specific realm?
- How "Application" concept in keycloak differs from "OAuth Client" and does it make sense to log a user to an application (over REST API), if yes how this is different from logging a user into a realm with OAuth Client ?
Thanks Alot,
I really appreciate your help.