[keycloak-dev] using the same master client to manage multiple realms

Stian Thorgersen sthorger at redhat.com
Mon Oct 22 02:54:46 EDT 2018


Although I appreciate how this could be useful, this is introducing yet
another complexity into a rather messy part of the code base. I'd like to
see the way realms are managed being made simpler, not more complex with
introducing alternatives here.

On Fri, 19 Oct 2018 at 22:58, Gideon Caranzo <gideonray at gmail.com> wrote:

> Hi All,
>
> I'd like to propose a feature wherein you can assign the same master client
> to manage multiple realms.
>
> Right now we are using composite roles for some api client credentials. The
> issue we have is that if we need to assign or remove roles, we need to
> update all realm clients. Also, if we add a new realm, we also need update
> our composite roles and assign roles needed for the realm client.
>
> So basically, in our case, we just need one client since all the realm
> clients will have exactly the same assigned roles.
> This will also improve performance if you have large number of realms since
> you won't have a scenario wherein one composite role ends up loading all
> roles for each realm client.
>
> This can be implemented by having an option to specify the master client
> when creating a realm. If a master client is specified, it will be created
> or reused if it already exist.
> Since this is only an option, the existing behavior will still be there
> (create a master client for the realm).
>
> I've created a proof of concept and got it working. It think this should be
> feasible.
>
> Let me know what you think. I'll be happy to submit a PR for this. Thanks.
>
> Best regards,
> Gideon
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list