4:39 a.m.
Hi,
We are currently planning how to implement Keycloak to our solution. Our solution is a
multitenant application composed of many microservices with fronting API and React.js
clients. Our tenants are all using the same instances of the microservices (those are
shared).
We will go with implicit token flow, passing the JWT token through all the dependencies to
achieve defense-in-depth (aka: the services do the authorization).
So as we'll have many tenants we will also have many realms. Because clients are bound
to individual realm, we will need to duplicate (re-register through dynamic registration
every client) many times. For the worse, we will probably also use UMA, which is bound to
the client, hence the privileges will be duplicated as well...
Now the questions:
1) Is it somehow possible to inherit or template the definition of the realm, so we
would only change the "master realm template" and the changes would propagate to
all the individual tenant realms
2) If this is not possible, what is the recommended way to support this scenario with
many tenants and many services? Especially when we expect that the clients will evolve,
hence updating all the clients+uma in many realms may be very painful...
Thanks for your advice!
Pavel
// PS: if there is any good article or presentation how to achieve this, goal, please send
it to me. I will be very grateful.
4:50 a.m.
On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka(a)zoomint.com> wrote:
Hi,
We are currently planning how to implement Keycloak to our solution. Our
solution is a multitenant application composed of many microservices with
fronting API and React.js clients. Our tenants are all using the same
instances of the microservices (those are shared).
We will go with implicit token flow, passing the JWT token through all the
dependencies to achieve defense-in-depth (aka: the services do the
authorization).
So as we'll have many tenants we will also have many realms. Because
clients are bound to individual realm, we will need to duplicate
(re-register through dynamic registration every client) many times. For the
worse, we will probably also use UMA, which is bound to the client, hence
the privileges will be duplicated as well...
Now the questions:
1) Is it somehow possible to inherit or template the definition of
the realm, so we would only change the "master realm template" and the
changes would propagate to all the individual tenant realms
This is not possible. However, we have discussed a similar solution when we
were working with Openshift Integration. I can't remember how we called
this at that time, Stian should remember ....
2) If this is not possible, what is the recommended way to support
this scenario with many tenants and many services? Especially when we
expect that the clients will evolve, hence updating all the clients+uma in
many realms may be very painful...
I don't think you have other option. Maybe you can make the job less
painful by using our APIs to help provisioning new tenants with the
"shared" configuration.
Thanks for your advice!
Pavel
// PS: if there is any good article or presentation how to achieve this,
goal, please send it to me. I will be very grateful.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:14 a.m.
Hi Pedro Igor Silva,
We also have similar requirement. you said
*I don't think you have other option. Maybe you can make the job
lesspainful by using our APIs to help provisioning new tenants with
the"shared" configuration*.
Can you tell me how with examples if possible.
On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka
<Pavel.Micka(a)zoomint.com>
wrote:
> Hi,
>
> We are currently planning how to implement Keycloak to our solution. Our
> solution is a multitenant application composed of many microservices with
> fronting API and React.js clients. Our tenants are all using the same
> instances of the microservices (those are shared).
> We will go with implicit token flow, passing the JWT token through all
the
> dependencies to achieve defense-in-depth (aka: the services do the
> authorization).
>
> So as we'll have many tenants we will also have many realms. Because
> clients are bound to individual realm, we will need to duplicate
> (re-register through dynamic registration every client) many times. For
the
> worse, we will probably also use UMA, which is bound to the client, hence
> the privileges will be duplicated as well...
>
> Now the questions:
>
> 1) Is it somehow possible to inherit or template the definition of
> the realm, so we would only change the "master realm template" and the
> changes would propagate to all the individual tenant realms
>
This is not possible. However, we have discussed a similar solution when we
were working with Openshift Integration. I can't remember how we called
this at that time, Stian should remember ....
>
> 2) If this is not possible, what is the recommended way to support
> this scenario with many tenants and many services? Especially when we
> expect that the clients will evolve, hence updating all the clients+uma
in
> many realms may be very painful...
>
I don't think you have other option. Maybe you can make the job less
painful by using our APIs to help provisioning new tenants with the
"shared" configuration.
>
> Thanks for your advice!
>
> Pavel
>
>
> // PS: if there is any good article or presentation how to achieve this,
> goal, please send it to me. I will be very grateful.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
5:19 a.m.
Keycloak provides an API which is basically the same that is backing our
administration console. You can basically manage everything from it.
You could maybe start by this part of the docs [1]. If you are using Java,
you can use a client library.
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#admin-...
On Wed, Feb 6, 2019 at 9:15 AM Hariprasad N <hariprasad.n(a)ramyamlab.com>
wrote:
Hi Pedro Igor Silva,
We also have similar requirement. you said
*I don't think you have other option. Maybe you can make the job
lesspainful by using our APIs to help provisioning new tenants with
the"shared" configuration*.
Can you tell me how with examples if possible.
On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka(a)zoomint.com>
> wrote:
>
> > Hi,
> >
> > We are currently planning how to implement Keycloak to our solution. Our
> > solution is a multitenant application composed of many microservices
> with
> > fronting API and React.js clients. Our tenants are all using the same
> > instances of the microservices (those are shared).
> > We will go with implicit token flow, passing the JWT token through all
> the
> > dependencies to achieve defense-in-depth (aka: the services do the
> > authorization).
> >
> > So as we'll have many tenants we will also have many realms. Because
> > clients are bound to individual realm, we will need to duplicate
> > (re-register through dynamic registration every client) many times. For
> the
> > worse, we will probably also use UMA, which is bound to the client,
> hence
> > the privileges will be duplicated as well...
> >
> > Now the questions:
> >
> > 1) Is it somehow possible to inherit or template the definition of
> > the realm, so we would only change the "master realm template" and
the
> > changes would propagate to all the individual tenant realms
> >
>
> This is not possible. However, we have discussed a similar solution when
> we
> were working with Openshift Integration. I can't remember how we called
> this at that time, Stian should remember ....
>
>
> >
> > 2) If this is not possible, what is the recommended way to support
> > this scenario with many tenants and many services? Especially when we
> > expect that the clients will evolve, hence updating all the clients+uma
> in
> > many realms may be very painful...
> >
>
> I don't think you have other option. Maybe you can make the job less
> painful by using our APIs to help provisioning new tenants with the
> "shared" configuration.
>
>
> >
> > Thanks for your advice!
> >
> > Pavel
> >
> >
> > // PS: if there is any good article or presentation how to achieve this,
> > goal, please send it to me. I will be very grateful.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
5:26 a.m.
Thanks.
I already have this in my mind, I thought you will give another solution,
any way thanks.
Is there any plan in future to create shared clients and roles across
multiple realm.
I have asked this requirement long back.
Regards
Hari Prasad N
On Wed, Feb 6, 2019 at 4:50 PM Pedro Igor Silva <psilva(a)redhat.com> wrote:
Keycloak provides an API which is basically the same that is backing
our
administration console. You can basically manage everything from it.
You could maybe start by this part of the docs [1]. If you are using Java,
you can use a client library.
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#admin-...
On Wed, Feb 6, 2019 at 9:15 AM Hariprasad N <hariprasad.n(a)ramyamlab.com>
wrote:
> Hi Pedro Igor Silva,
>
> We also have similar requirement. you said
>
>
> *I don't think you have other option. Maybe you can make the job
> lesspainful by using our APIs to help provisioning new tenants with
> the"shared" configuration*.
>
> Can you tell me how with examples if possible.
>
> On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka(a)zoomint.com>
>> wrote:
>>
>> > Hi,
>> >
>> > We are currently planning how to implement Keycloak to our solution.
>> Our
>> > solution is a multitenant application composed of many microservices
>> with
>> > fronting API and React.js clients. Our tenants are all using the same
>> > instances of the microservices (those are shared).
>> > We will go with implicit token flow, passing the JWT token through all
>> the
>> > dependencies to achieve defense-in-depth (aka: the services do the
>> > authorization).
>> >
>> > So as we'll have many tenants we will also have many realms. Because
>> > clients are bound to individual realm, we will need to duplicate
>> > (re-register through dynamic registration every client) many times.
>> For the
>> > worse, we will probably also use UMA, which is bound to the client,
>> hence
>> > the privileges will be duplicated as well...
>> >
>> > Now the questions:
>> >
>> > 1) Is it somehow possible to inherit or template the definition of
>> > the realm, so we would only change the "master realm template" and
the
>> > changes would propagate to all the individual tenant realms
>> >
>>
>> This is not possible. However, we have discussed a similar solution when
>> we
>> were working with Openshift Integration. I can't remember how we called
>> this at that time, Stian should remember ....
>>
>>
>> >
>> > 2) If this is not possible, what is the recommended way to support
>> > this scenario with many tenants and many services? Especially when we
>> > expect that the clients will evolve, hence updating all the
>> clients+uma in
>> > many realms may be very painful...
>> >
>>
>> I don't think you have other option. Maybe you can make the job less
>> painful by using our APIs to help provisioning new tenants with the
>> "shared" configuration.
>>
>>
>> >
>> > Thanks for your advice!
>> >
>> > Pavel
>> >
>> >
>> > // PS: if there is any good article or presentation how to achieve
>> this,
>> > goal, please send it to me. I will be very grateful.
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Thanks & Regards,
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore – 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>
--
Thanks & Regards,
Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.
Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n(a)ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>
9:42 a.m.
Hello Pavel and Hariprasad,
As an alternative, you can do everything in one realm. There is a trick to implement
ad-hoc "multi-tenancy" within one realm using OpenID Connect scope parameter in
the form of "scope=openid tenant:XXX". Using tenant ID, you can dynamically
brand account and email themes, propagate it to the tokens, use it in dynamic
authorization policies etc. I'm currently writing a detailed article describing this
approach.
With this, you will have a shared set of clients, UMA, policies etc. However you will need
to implement proper separation of users, e.g. using groups or user attributes.
Feel free to ask any questions on this,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2019-02-06 at 10:39 +0000, Pavel Micka wrote:
Hi,
We are currently planning how to implement Keycloak to our solution. Our solution is a
multitenant application composed of many microservices with fronting API and React.js
clients. Our tenants are all using the same instances of the microservices (those are
shared).
We will go with implicit token flow, passing the JWT token through all the dependencies
to achieve defense-in-depth (aka: the services do the authorization).
So as we'll have many tenants we will also have many realms. Because clients are
bound to individual realm, we will need to duplicate (re-register through dynamic
registration every client) many times. For the worse, we will probably also use UMA, which
is bound to the client, hence the privileges will be duplicated as well...
Now the questions:
1) Is it somehow possible to inherit or template the definition of the realm, so we
would only change the "master realm template" and the changes would propagate to
all the individual tenant realms
2) If this is not possible, what is the recommended way to support this scenario
with many tenants and many services? Especially when we expect that the clients will
evolve, hence updating all the clients+uma in many realms may be very painful...
Thanks for your advice!
Pavel
// PS: if there is any good article or presentation how to achieve this, goal, please
send it to me. I will be very grateful.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:23 a.m.
Hi,
Unfortunatelly its not possible in our case, as we also have per-tenant ability to use
different user sources - both sychronization and SSO federation - as we generally import
the users from external systems (telephony platforms, active directories...); or in other
words, we do not have (almost any) local users.
Best regards,
Pavel
// but yeah, this strategy would work nicely, if we did not have these tenant-specific
additional contraints
-----Original Message-----
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: Wednesday, February 6, 2019 4:42 PM
To: Pavel Micka <Pavel.Micka(a)zoomint.com>; keycloak-user(a)lists.jboss.org
Cc: Hariprasad N <hariprasad.n(a)ramyamlab.com>
Subject: Re: [keycloak-user] Securing multitenant microservices
Hello Pavel and Hariprasad,
As an alternative, you can do everything in one realm. There is a trick to implement
ad-hoc "multi-tenancy" within one realm using OpenID Connect scope parameter in
the form of "scope=openid tenant:XXX". Using tenant ID, you can dynamically
brand account and email themes, propagate it to the tokens, use it in dynamic
authorization policies etc. I'm currently writing a detailed article describing this
approach.
With this, you will have a shared set of clients, UMA, policies etc. However you will need
to implement proper separation of users, e.g. using groups or user attributes.
Feel free to ask any questions on this,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2019-02-06 at 10:39 +0000, Pavel Micka wrote:
Hi,
We are currently planning how to implement Keycloak to our solution. Our solution is a
multitenant application composed of many microservices with fronting API and React.js
clients. Our tenants are all using the same instances of the microservices (those are
shared).
We will go with implicit token flow, passing the JWT token through all the dependencies
to achieve defense-in-depth (aka: the services do the authorization).
So as we'll have many tenants we will also have many realms. Because clients are
bound to individual realm, we will need to duplicate (re-register through dynamic
registration every client) many times. For the worse, we will probably also use UMA, which
is bound to the client, hence the privileges will be duplicated as well...
Now the questions:
1) Is it somehow possible to inherit or template the definition of the realm, so we
would only change the "master realm template" and the changes would propagate to
all the individual tenant realms
2) If this is not possible, what is the recommended way to support this scenario
with many tenants and many services? Especially when we expect that the clients will
evolve, hence updating all the clients+uma in many realms may be very painful...
Thanks for your advice!
Pavel
// PS: if there is any good article or presentation how to achieve this, goal, please
send it to me. I will be very grateful.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2632
days inactive
2632
days old
6 comments
4 participants
participants (4)
-
Dmitry Telegin -
Hariprasad N -
Pavel Micka -
Pedro Igor Silva