Our current "master realm" structure/design is deficient. Consider an
application like UPS that wants to use Keycloak to manage users. This
application would also have its own management console whose security is
also managed by keycloak.
My first thought is that you could define the application's management
console as an application in the "master" keycloak realm. This solution
isn't a great one if the keycloak server is managing multiple realms.
So, IMO not something we should recommend.
Another option is to define admin roles within the application's realm
itself. These roles are assignable to users within the realm. This
would require rethinking of the Angular JS admin console and how things
are authenticated and how people log-in. We should probably treat this
as SSO and have individual applications within the application realm,
for example:
UPS Realm registered applications:
realm-management (keycloak admin console)
aerogear-ups-management (ups admin console)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com