[keycloak-dev] Supporting multiple front-end channels (KEYCLOAK-6073)
Luke McDougall
luke.mcdougall at gmail.com
Wed Jul 17 08:44:42 EDT 2019
Hi... I'd like to continue a discussion regarding supporting multiple
public realm URLs that was started on
https://issues.jboss.org/browse/KEYCLOAK-6073.
We are using Keycloak to support single-sign on to our suite of products.
Our products run in a Kubernetes cluster; we deploy a Kubernetes cluster
into our customers data centers to host our products. The products consist
of microservices built on Widlfy, NGINX, Spring Boot, and others. We use
NGINX ingress controllers as the entry point into the cluster.
Users may access the products through multiple DNS names and/or IP
addresses; this is driven by each customers requirements. For example,
regular customer employees may access the cluster using a loadbalancer DNS
name while external contractors may need to connect via a VPN and are
required to use a different DNS name (maybe to a different loadbalancer).
In other cases multiple IP (or VIP) addresses are used. All users are
logging into the same Keycloak realm.
The result is that the 'issuer' in the JWT tokens is different depending on
how the user is required to access the cluster; we need the Keycloak
adapter in our backend services to accept each of these possible issuers.
We have developed proof-of-concept changes in the Keycloak adapter to solve
this by allowing us to specify a list of valid realm URLs in the
keycloak.json file used by the adapter. Our intent was to submit this as a
pull request for KEYCLOAK-6073. However at the same time as we were
working on this, someone else submitted a pull request against
KEYCLOAK-6073 to support a single frontend and a single backend URL.
I commented on the JIRA issue asking whether we could enhance this PR allow
multiple frontend channels. I'm concerned that if this PR is merged
without supporting multiple frontend channels that it will be more
difficult to add this afterwards. However at Stian Thorgersen's request I
have moved the conversation off JIRA and onto the mailing list.
What do you think? Is there any reason Keycloak shouldn't support multiple
frontend channels? We have customers that are very strict about separating
client access as described above, and I'm not sure how else we could
support this with Keycloak.
Thanks...
Luke
More information about the keycloak-dev
mailing list