yes the application itself needs to handle multiple realms at once. We are going with a shared application multi tenancy model.

Basically the flow I had in mind was:

Tenant Registration Process

Each tenant will get their own url

When a new tenant signs up, they can specify their url.

We would then create the realm for the client in Keycloak (via API calls) and associate the realm id to the url (either in keycloak or our application)

When a user logs in via their tenant specific url, we will intercept that request in a filter and using the Authorization header grab the token and accordingly handle the authorization. If user has not logged in, we will redirect to keycloak for authentication

I had a look at your thoughts on how to do this with Aerogear. If I understand the concept correctly, with the UPS + Keycloak in one bundle option, we have to update the jboss wildfly config on the fly whenever we get new tenants. I did not think of this option and not sure if this could be done with wildfly without having to restart wildfly, but even if that is possible, that means we are going to have a large list of wildfly adapter profiles and I don't think that is practical. Just think even if we get 200 tenants, this is going to make it very complicated. Also I think the concept is one war per realm so this might not even be possible for a single application multi tenant model.

I think the ideal would be to have one wildfly adapter config per Keycloak instance. (i.e. don't go to the realm level) If you want to keep the existing and also cater to what I am suggesting, then some wildcard method to config would do.

Having said that, now I am wondering if by using the Per war configuration (and not using the wildfly adapter) if I could achieve what I want since from the keycloak docs, it looks like you can configure keycloak per war without specifying any realm specific settings. (at least for now the realm-name element is supposed to be ignored.)

Not sure if I have complicated this further or if this is doable. But if we can plug in multi tenancy that would be a massive win for Keycloak considering that everything is now moving to the cloud.

On Mon, Feb 24, 2014 at 12:18 AM, Bill Burke <bburke@redhat.com> wrote:

On 2/23/2014 8:08 AM, Bill Burke wrote:
>
>
> On 2/22/2014 10:46 PM, Travis De Silva wrote:
>> I just read the discussions on KEYCLOAK-292 on the developer mailing
>> list.
>> http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001378.html
>>
>> The concept of creating an application under the keycloak-admin realm
>> for each realm created looks interesting.
>>
>> When it comes to multi tenancy, I think the issue is around the
>> application installation process. If there is a way where we don't have
>> to provide individual application level keycloak.json's or WildFly/JBoss
>> subsystem XML's, then we are getting closer to multi tenancy. I am
>> thinking can this be done at a keycloak top level or the ability to use
>> wildcards for the resource elements in the json.
>>
>
> The application itself needs to be able to handle multiple realms at
> once? How would you choose which realm to belong to when initiating a
> login? Can you elaborate a bit more on what the flow would look like
> (what you want) when interacting with your applications?
>
> Aerogear UPS might be in a similar position as you too, so this is
> something I'd like to solve sooner rather than later.

Please respond to above, but this was some of my thoughts with Aerogear
which may be related:

http://lists.jboss.org/pipermail/keycloak-dev/2014-February/001292.html

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user