Re: [keycloak-user] Securing multitenant microservices
On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka(a)zoomint.com> wrote:
Hi,
We are currently planning how to implement Keycloak to our solution. Our
solution is a multitenant application composed of many microservices with
fronting API and React.js clients. Our tenants are all using the same
instances of the microservices (those are shared).
We will go with implicit token flow, passing the JWT token through all the
dependencies to achieve defense-in-depth (aka: the services do the
authorization).
So as we'll have many tenants we will also have many realms. Because
clients are bound to individual realm, we will need to duplicate
(re-register through dynamic registration every client) many times. For the
worse, we will probably also use UMA, which is bound to the client, hence
the privileges will be duplicated as well...
Now the questions:
1) Is it somehow possible to inherit or template the definition of
the realm, so we would only change the "master realm template" and the
changes would propagate to all the individual tenant realms
This is not possible. However, we have discussed a similar solution when we
were working with Openshift Integration. I can't remember how we called
this at that time, Stian should remember ....
2) If this is not possible, what is the recommended way to support
this scenario with many tenants and many services? Especially when we
expect that the clients will evolve, hence updating all the clients+uma in
many realms may be very painful...
I don't think you have other option. Maybe you can make the job less
painful by using our APIs to help provisioning new tenants with the
"shared" configuration.
Thanks for your advice!
Pavel
// PS: if there is any good article or presentation how to achieve this,
goal, please send it to me. I will be very grateful.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user