You proposed solution would not cover the use case where we can create tenants at runtime as the realm config in the keycloak.json would be hard coded into the war.
I had discussed this identical use case a while ago on this forum and Bill was planning to refactor the adapters to support this use case. Unfortunately he got caught up in other tasks and was not able to proceed on this.
Basically what I believe Bill suggested which would meet this use case is to:
Have a shared secret between clients for all realms.
The adapter would just extract the realm name from the request, invoke on the keycloak server to get the public information about the realm (i.e. public key) and then cache the information locally.
The key bit here is extracting the realm name from the request and then pulling the realm info from the keycloak server.
I had a look at the keycloak source code and I believe the magic happens in the KeycloakServletExtension class under the org.keycloak.adapters.undertow package for my use case (since I deploy it on wildfly)
What I have got stumped is that this class gets loaded when my war is deployed and I am wondering how I can do it per request (if the info is not already cached locally)
Maybe with the imminent release of 1.0 (btw congrats for the great work to everyone in the team and for Bill and your leadership), maybe we should start thinking about this multi tenancy use case to be included in future releases.
I believe that SaaS models are going to be popular and having this feature added will make keycloak a major player in this space.