I've also posted this question on stackoverflow. So if you want to you can
answer there so it'll be easier to find for anyone looking. Here it is:
https://stackoverflow.com/questions/55634962/keycloak-support-for-one-rea...
I'm building an ecosystem of applications on kubernetes with keycloak as
authentication/authorization provider. I am(or probably was) planning for
everything to be integrated with it via OpenId(OAuth2) and for user
credentials and other private information never to leave the keycloak
instance in an unencrypted form.
I was trying to implement the whole authentication scheme with the
following configurations in mind.
Realms
myservice: Realm containing the public and back-office users of my application.
All microservices that I have are authenticating users
against this realm.
master: Contains admins, keycloak administrators and other resources which
should not be ever exposed to the public or intranet users.
No microservice
ever performs authentication on this realm.
Domains
1. domain:
account.myservice.com
access: public
cors: allow requests from
app.myservice.com
config: kubernetes-ingress
exposes: configured themes to support login, registration, etc.. Endpoints
for public front-end application token validation
description: Only exposes access to a realm called "myservice" in keycloak.
No users from other realms can login or interact.
2. domain:
account.internal.myservice.com
access: intranet/admins
cors: allow requests from
back-office.internal.myservice.com
config: kubernetes-ingress
exposes: configured themes to support login, registration, etc.. Endpoints
for back-end front-end application token validation
description: Exposes all the realms and provides access to keycloak
administrative UI.
3. domain: keycloak (keycloak.default.svc.cluster.local)
access: cluster-internal
cors: none
config: kubernetes service, visible only inside the cluster
exposes: endpoints for back-end application token validation
description: Only exposes realm "myservice" and is used for other
services to
validate user tokens and similar stuff.
I did come across a number of issues when trying to implement the above
configuration scheme. If I do SSL termination inside Keycloak I won't be
able to configure the different domains via a reverse proxy or similar
approach which, in turn, means that Keycloak should provide a feature to
listen on a separate SSL encrypted port and only make one realm available
there. Which it does not. So do I want something weird here? Are the best
practices different from what I want?
--
Best Regards,
Yervand