yes the application itself needs to handle multiple realms at once. We are
going with a shared application multi tenancy model.
Basically the flow I had in mind was:
Tenant Registration Process
Each tenant will get their own url
When a new tenant signs up, they can specify their url.
We would then create the realm for the client in Keycloak (via API calls)
and associate the realm id to the url (either in keycloak or our
application)
Login process for users of the tenant
When a user logs in via their tenant specific url, we will intercept that
request in a filter and using the Authorization header grab the token and
accordingly handle the authorization. If user has not logged in, we will
redirect to keycloak for authentication
I had a look at your thoughts on how to do this with Aerogear. If I
understand the concept correctly, with the UPS + Keycloak in one bundle
option, we have to update the jboss wildfly config on the fly whenever we
get new tenants. I did not think of this option and not sure if this could
be done with wildfly without having to restart wildfly, but even if that is
possible, that means we are going to have a large list of wildfly adapter
profiles and I don't think that is practical. Just think even if we get 200
tenants, this is going to make it very complicated. Also I think the
concept is one war per realm so this might not even be possible for a
single application multi tenant model.
I think the ideal would be to have one wildfly adapter config per Keycloak
instance. (i.e. don't go to the realm level) If you want to keep the
existing and also cater to what I am suggesting, then some wildcard method
to config would do.
Having said that, now I am wondering if by using the Per war configuration
(and not using the wildfly adapter) if I could achieve what I want since
from the keycloak docs, it looks like you can configure keycloak per war
without specifying any realm specific settings. (at least for now
the realm-name element is supposed to be ignored.)
Not sure if I have complicated this further or if this is doable. But if we
can plug in multi tenancy that would be a massive win for Keycloak
considering that everything is now moving to the cloud.
On Mon, Feb 24, 2014 at 12:18 AM, Bill Burke <bburke(a)redhat.com> wrote:
On 2/23/2014 8:08 AM, Bill Burke wrote:
>
>
> On 2/22/2014 10:46 PM, Travis De Silva wrote:
>> I just read the discussions on KEYCLOAK-292 on the developer mailing
>> list.
>>
http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001378.html
>>
>> The concept of creating an application under the keycloak-admin realm
>> for each realm created looks interesting.
>>
>> When it comes to multi tenancy, I think the issue is around the
>> application installation process. If there is a way where we don't have
>> to provide individual application level keycloak.json's or WildFly/JBoss
>> subsystem XML's, then we are getting closer to multi tenancy. I am
>> thinking can this be done at a keycloak top level or the ability to use
>> wildcards for the resource elements in the json.
>>
>
> The application itself needs to be able to handle multiple realms at
> once? How would you choose which realm to belong to when initiating a
> login? Can you elaborate a bit more on what the flow would look like
> (what you want) when interacting with your applications?
>
> Aerogear UPS might be in a similar position as you too, so this is
> something I'd like to solve sooner rather than later.
Please respond to above, but this was some of my thoughts with Aerogear
which may be related:
http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001292.html
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user