7:14 a.m.
Hi,
I'm currently working on a project with specific requirements. Actually
what we are trying to do is to setup a Keycloak in order to protect several
applications. Each of these applications will potentially have their own
set of webapps and micro-services. What we intended to do is to declare a
realm per app (and each component of the app would be a client within it's
own realm).
We need to setup some cross-realm features such as realm selection,
multi-realm authentication (i.e not being forced to re-login when switchin
from one realm to another).
I'm looking for advices or feedbacks in implementing such a case. Would you
have any ?
Yours,
1:55 a.m.
Hi,
We have a similar setup and achieve cross-realm authentication through an extra IdP
instance (which is actually a requirement for us because the IdPs are owned by the
customers). This adds of course an administrative overhead.
Realm selection is in our case done by setting a specific header on the reverse proxy. The
realm name is hereby derived from the request url. Accordingly, we implemented a custom
KeycloakConfigResolver that reads the realm name from the header.
I hope this helps,
Michael
On 2017-09-27, 14:14, "keycloak-user-bounces(a)lists.jboss.org on behalf of Matthias
ANGLADE" <keycloak-user-bounces(a)lists.jboss.org on behalf of
manglade(a)nextoo.fr> wrote:
Hi,
I'm currently working on a project with specific requirements. Actually
what we are trying to do is to setup a Keycloak in order to protect several
applications. Each of these applications will potentially have their own
set of webapps and micro-services. What we intended to do is to declare a
realm per app (and each component of the app would be a client within it's
own realm).
We need to setup some cross-realm features such as realm selection,
multi-realm authentication (i.e not being forced to re-login when switchin
from one realm to another).
I'm looking for advices or feedbacks in implementing such a case. Would you
have any ?
Yours,
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:34 p.m.
I am curious....how does this address the issue of requiring users to
re-login again to switch realms?
I ask, as this is a very common need and since the access token is specific
to a keycloak realm, I don't see how this would address that situation
without Keycloak supporting "trusted realms".
Thanks
Stephen
On Fri, Sep 29, 2017 at 11:55 PM, Michael Liebe <Michael.Liebe(a)ist.com>
wrote:
Hi,
We have a similar setup and achieve cross-realm authentication through an
extra IdP instance (which is actually a requirement for us because the IdPs
are owned by the customers). This adds of course an administrative overhead.
Realm selection is in our case done by setting a specific header on the
reverse proxy. The realm name is hereby derived from the request url.
Accordingly, we implemented a custom KeycloakConfigResolver that reads the
realm name from the header.
I hope this helps,
Michael
On 2017-09-27, 14:14, "keycloak-user-bounces(a)lists.jboss.org on behalf of
Matthias ANGLADE" <keycloak-user-bounces(a)lists.jboss.org on behalf of
manglade(a)nextoo.fr> wrote:
Hi,
I'm currently working on a project with specific requirements. Actually
what we are trying to do is to setup a Keycloak in order to protect
several
applications. Each of these applications will potentially have their
own
set of webapps and micro-services. What we intended to do is to
declare a
realm per app (and each component of the app would be a client within
it's
own realm).
We need to setup some cross-realm features such as realm selection,
multi-realm authentication (i.e not being forced to re-login when
switchin
from one realm to another).
I'm looking for advices or feedbacks in implementing such a case.
Would you
have any ?
Yours,
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:08 p.m.
Yes, the tokens are still realm specific. This is how the setup basically works:
- The user requests a resource from application A, gets redirected to Keycloak – realm A -
which, in turn, redirects to the IdP.
After authentication at the IdP the user is redirected back to Keycloak which issues the
token for the application within realm A.
- Then, the user switches to application B. The user is again redirected to Keycloak - but
now to realm B. Since the user has no active session here, the user is furtherly
redirected to the IdP.
Since the user already has an active session at the IdP the request is redirected
directly, i.e. without user interaction, back to Keycloak which in turn issues a token
within realm B to application B.
From: Stephen Henrie <stephen(a)saasindustries.com>
Date: Saturday, 30 September 2017 at 19:34
To: Michael Liebe <Michael.Liebe(a)ist.com>
Cc: Matthias ANGLADE <manglade(a)nextoo.fr>, "keycloak-user(a)lists.jboss.org"
<keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] Multi realms approach
I am curious....how does this address the issue of requiring users to re-login again to
switch realms?
I ask, as this is a very common need and since the access token is specific to a keycloak
realm, I don't see how this would address that situation without Keycloak supporting
"trusted realms".
Thanks
Stephen
2644
days inactive
2647
days old
3 comments
3 participants
participants (3)
-
Matthias ANGLADE -
Michael Liebe -
Stephen Henrie