9:25 a.m.
Hello,
We are developing a REST API (Spring Boot micro-services) secured by Keycloak.
We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side when modifying
internal services...
Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks guys!). But I
don't see in documentation how use 2 Keycloak instances as we always refer to a single
keycloak.json.
Is securing a Spring Boot app with 2 different Keycloak instances possible?
Thanks for your help!
Cedric
9:48 a.m.
Hi Cedric,
You mention "keycloak.json" so I assume you are using the Spring Security
Adapter ? If this is the case we don't' have an out of the box solution but
you can solve it by implementing your own KeycloakConfigResolver , take a
look here
http://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
then in your Spring Boot app declare a bean to point to the new config
resolver like :
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new MyCustomConfigResolver();
}
If you are using Spring Boot adapter "standalone" with the config in the
properties file, then we don't support multitenancy yet but we are working
on a solution.
On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault <
cedric.thiebault(a)sensefly.com> wrote:
Hello,
We are developing a REST API (Spring Boot micro-services) secured by
Keycloak.
We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side
when modifying internal services...
Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks
guys!). But I don't see in documentation how use 2 Keycloak instances as we
always refer to a single keycloak.json.
Is securing a Spring Boot app with 2 different Keycloak instances possible?
Thanks for your help!
Cedric
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:25 p.m.
Thanks Sebastien!
Multi-tenancy config implies that secured resources have different paths depending on
which keycloak should be used.
But let's imagine I have a user-service (bearer-only) with secured resource
/users/{user-id}.
This resource is used by:
- internal apps (user is authenticated by keycloak for employee)
- customer portal (user is authenticated by keycloak for customers)
I don't see how I can configure user-service to iterate over available Keycloak...
Should I duplicate authentication filters in
org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter#configure
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
BasicAuthenticationFilter.class)
.addFilterBefore(keycloakAuthenticatedActionsFilter(), BasicAuthenticationFilter.class)
.addFilterAfter(keycloakSecurityContextRequestFilter(),
SecurityContextHolderAwareRequestFilter.class)
I hope I'm clear enough :-/
Thanks for your help!
Cedric
________________________________
From: Sebastien Blanc <sblanc(a)redhat.com>
Sent: Friday, March 2, 2018 9:48:57 AM
To: Cedric Thiebault
Cc: keycloak-user
Subject: Re: [keycloak-user] Spring Boot with multiple Keycloak instances
Hi Cedric,
You mention "keycloak.json" so I assume you are using the Spring Security
Adapter ? If this is the case we don't' have an out of the box solution but you
can solve it by implementing your own KeycloakConfigResolver , take a look here
http://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy then in your
Spring Boot app declare a bean to point to the new config resolver like :
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new MyCustomConfigResolver();
}
If you are using Spring Boot adapter "standalone" with the config in the
properties file, then we don't support multitenancy yet but we are working on a
solution.
On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault
<cedric.thiebault@sensefly.com<mailto:cedric.thiebault@sensefly.com>> wrote:
Hello,
We are developing a REST API (Spring Boot micro-services) secured by Keycloak.
We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side when modifying
internal services...
Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks guys!). But I
don't see in documentation how use 2 Keycloak instances as we always refer to a single
keycloak.json.
Is securing a Spring Boot app with 2 different Keycloak instances possible?
Thanks for your help!
Cedric
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:49 p.m.
On Mon, Mar 5, 2018 at 4:25 PM, Cedric Thiebault <
cedric.thiebault(a)sensefly.com> wrote:
Thanks Sebastien!
Multi-tenancy config implies that secured resources have different paths
depending on which keycloak should be used.
That particular example just uses the path as discriminator but you can use
anything to pickup the right config file. Imagine a custom header that the
clients add to the request :
public KeycloakDeployment resolve(HttpFacade.Request request) {
if(request.getHeader("my-custom-header").equals("customer")) {
KeycloakDeployment deployment = cache.get(realm);
if (null == deployment) {
InputStream is =
getClass().getResourceAsStream("/customer-keycloak.json");
return KeycloakDeploymentBuilder.build(is);
}
}
else {
InputStream is =
getClass().getResourceAsStream("/employee-keycloak.json");
return KeycloakDeploymentBuilder.build(is);
}
}
But let's imagine I have a user-service (bearer-only) with
secured
resource */users/{user-id}*.
This resource is used by:
- internal apps (user is authenticated by keycloak for employee)
- customer portal (user is authenticated by keycloak for customers)
I don't see how I can configure user-service to iterate over available
Keycloak...
Should I duplicate authentication filters in org.keycloak.adapters.
springsecurity.config.KeycloakWebSecurityConfigurerAdapter#configure
.addFilterBefore(keycloakPreAuthActionsFilter(), LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
BasicAuthenticationFilter.class)
.addFilterBefore(keycloakAuthenticatedActionsFilter(), BasicAuthenticationFilter.class)
.addFilterAfter(keycloakSecurityContextRequestFilter(),
SecurityContextHolderAwareRequestFilter.class)
Not sure I understand what you to achieve here.
I hope I'm clear enough :-/
Thanks for your help!
Cedric
------------------------------
*From:* Sebastien Blanc <sblanc(a)redhat.com>
*Sent:* Friday, March 2, 2018 9:48:57 AM
*To:* Cedric Thiebault
*Cc:* keycloak-user
*Subject:* Re: [keycloak-user] Spring Boot with multiple Keycloak
instances
Hi Cedric,
You mention "keycloak.json" so I assume you are using the Spring Security
Adapter ? If this is the case we don't' have an out of the box solution but
you can solve it by implementing your own KeycloakConfigResolver , take a
look here http://www.keycloak.org/docs/latest/securing_apps/index.
html#_multi_tenancy then in your Spring Boot app declare a bean to point
to the new config resolver like :
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new MyCustomConfigResolver();
}
If you are using Spring Boot adapter "standalone" with the config in the
properties file, then we don't support multitenancy yet but we are working
on a solution.
On Fri, Mar 2, 2018 at 9:25 AM, Cedric Thiebault <
cedric.thiebault(a)sensefly.com> wrote:
Hello,
We are developing a REST API (Spring Boot micro-services) secured by
Keycloak.
We would like to use 2 different Keycloak instances:
- one for employees linked to our Active Directory
- one for our customers
The idea is to isolate environments to reduce the impact on customer side
when modifying internal services...
Securing a Spring Boot app with Keycloak Spring adapters is easy (thanks
guys!). But I don't see in documentation how use 2 Keycloak instances as we
always refer to a single keycloak.json.
Is securing a Spring Boot app with 2 different Keycloak instances possible?
Thanks for your help!
Cedric
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2249
days inactive
2252
days old
3 comments
2 participants
participants (2)
-
Cedric Thiebault -
Sebastien Blanc