Hi,

regarding multi-tenancy in keycloak, where each tenant maps to a realm, I wanted to ask for help on clarifying some key concepts in keycloak for aid in implementing a simple REST based identity management POC.

Imagine there is a requirement for a multi-tenant environment where user registration (=creation) , user login, user logout and knowing whether a user is still logged in or not must be done over some wrapper REST service which exposes the mentioned functionality to outside world.

With KeyCloak being deployed in a private network, I have written some wrapper REST service which does create users for a desired tenant (=realm), and this wrapper service itself calls KeyCloak's "Direct Grant API" from an OAuth Client with Super-User Credentials both defined in the "master" realm having sufficient privileges over all realms (as defined by the documentation in "Chapter 17. Admin REST API").

Now I want to be able to wrap the logging-in and logging-out process of a user into a tenant in the same way as user creation, which I don't know how to work around this scenario exactly

there are some different questions in my head, regarding the situation explained in my head which I wanted to ask :

to be able to log a user in/out, through a wrapper rest service , which has been passed the user credential to and wants to use KeyCloak REST APIs, should I create an OAuth client per each realm and login/log out the user, using the related OAuth client in each realm ?
Which REST API provides information on whether a specific user is already logged in or not on a specific realm?
How "Application" concept in keycloak differs from "OAuth Client" and does it make sense to log a user to an application (over REST API), if yes how this is different from logging a user into a realm with OAuth Client ?

Thanks Alot,

I really appreciate your help.