1:40 p.m.
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We
will pre-load users in keycloak using their email address as their username with a
separate realm for each tenant. When a user logs into the mobile app I need to detect the
realm from a user's email domain and redirect to the appropriate authorisation end
point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to
that prompts the user for their email address, look up the configured tenant form the
email domain and redirects to the appropriate realm's login page passing the mobile
app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
2:23 p.m.
Hi Scott,
Wouldn't it be much easier to implement this "proxy" logic in the mobile app
itself? Adding a new layer in your infrastructure could mean another single point of
failure and doesn't add much value to it either. Of course, you can write some logic
by modifying Keycloak but it could rejected by the community and then you'd have to
main your logic in Keycloak yourself. It could break anytime Keycloak has another update
and Keycloak is updated frequently.
I'd honestly stick by implementing this behavior in your client. Before you redirect
your user to the login page or pass his credentials to the Keycloak instance, validate the
email and direct the user to the proper realm then. This way you'd have to maintain
only a small part of your mobile app and doesn't contain the complexity by maintaining
another component in your infrastructure.
I hope this will give you some thoughts :-) !
Kind regards,
Kevin
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Scott Hezzell
Sent: Tuesday, November 28, 2017 1:40 PM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Keycloak realm detection from email domain
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We
will pre-load users in keycloak using their email address as their username with a
separate realm for each tenant. When a user logs into the mobile app I need to detect the
realm from a user's email domain and redirect to the appropriate authorisation end
point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to
that prompts the user for their email address, look up the configured tenant form the
email domain and redirects to the appropriate realm's login page passing the mobile
app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:12 p.m.
Hi Scot,
We are facing similar issue with keyclaok but would prefer to have the realm resolution
implemented in keycloak (not like Kevin suggests on client side).
Can you maybe share your experience and the approach you finally implemented?
Best regards,
Marian
-----Original Message-----
Hi Scott,
Wouldn't it be much easier to implement this "proxy" logic in the mobile app
itself? Adding a new layer in your infrastructure could mean another single point of
failure and doesn't add much value to it either. Of course, you can write some logic
by modifying Keycloak but it could rejected by the community and then you'd have to
main your logic in Keycloak yourself. It could break anytime Keycloak has another update
and Keycloak is updated frequently.
I'd honestly stick by implementing this behavior in your client. Before you redirect
your user to the login page or pass his credentials to the Keycloak instance, validate the
email and direct the user to the proper realm then. This way you'd have to maintain
only a small part of your mobile app and doesn't contain the complexity by maintaining
another component in your infrastructure.
I hope this will give you some thoughts :-) !
Kind regards,
Kevin
-----Original Message-----
From: keycloak-user-bounces at
lists.jboss.org<https://lists.jboss.org/mailman/listinfo/keycloak-user...
[mailto:keycloak-user-bounces at
lists.jboss.org<https://lists.jboss.org/mailman/listinfo/keycloak-user...] On Behalf
Of Scott Hezzell
Sent: Tuesday, November 28, 2017 1:40 PM
To: keycloak-user at
lists.jboss.org<https://lists.jboss.org/mailman/listinfo/keycloak-user...
Subject: [keycloak-user] Keycloak realm detection from email domain
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We
will pre-load users in keycloak using their email address as their username with a
separate realm for each tenant. When a user logs into the mobile app I need to detect the
realm from a user's email domain and redirect to the appropriate authorisation end
point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to
that prompts the user for their email address, look up the configured tenant form the
email domain and redirects to the appropriate realm's login page passing the mobile
app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
1976
days inactive
2334
days old
2 comments
3 participants
participants (3)
-
Kevin Berendsen -
Marian Petrik -
Scott Hezzell