[keycloak-dev] Users and Realms

[Pedro Igor Silva]

Yeah, it was mainly targeted for openshift when we were doing all the
integration work. It is still a good solution to make more flexible realm
configuration. Especially when you have a set of predefined settings that
serve as the skeleton to create realms that are targeted to protect a
specific domain.

My proposal is not simple to implement too. Although it is mainly focused
on solving a specific problem where users can have access to applications
in different realms, thus can be associated with distinct realms.

We have some workarounds to solve this problem but it either relies on
using a single realm or replicating users across realms through identity
brokering. Each one with its pros and cons.

I personally think that the identity broker approach is the most
appropriate option as it kinds of creates a trust model across realms
(federation) while still keeping each realm with their own security
policies and configuration. However, since all trusted realms are in
Keycloak, we have users duplicated across these realms. I would like to see
other opinions about this and if it the approach I'm suggesting (for users)
makes sense.

It should also allow admins to:

* Admins can manage users from a single place
* Admins can map user access more clearly, considering the different realms
they are associated with (traceability)
* Admins can grant/revoke access to users on realms more easily

On Fri, May 17, 2019 at 9:40 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> I agree with Stan on the use cases.
>
> Looking at what you suggested it reminds me about something that we
> talked some time ago called "Realms of realms".
>
> The idea consisted of sharing clients, roles, client scopes,
> users...across multiple instances through realm inheritance. Into other
> words, you have a "master" realm with these items that you wanted to
> share, and the other realms that would benefit from it. Keep in mind that
> I'm
> briefly summarizing it.
>
> Of course, the complexity to implement this is far from being simple as
> your
> proposal, but maybe your idea could complement what was suggested for
> "Realms of realms".
>
> On 2019-05-16, Pedro Igor Silva wrote:
> > Hi,
> >
> > As you know, currently users belong to a realm and as such, you can't
> share
> > them across different realms. We always had people looking for
> alternatives
> > about how to solve this problem where all the available options have
> their
> > pros and cons.
> >
> > I would like to see what you think about decoupling users from realms in
> a
> > way that user federation and management are completely decoupled from
> > realms so that users (or group of users) can be *associated* with realms.
> >
> > As an example, here is how you would configure users and realms in
> Keycloak:
> >
> > 1) Configure your identity stores/user federation from where users will
> be
> > fetched. Or create users in Keycloak.
> >
> > 2) Assign to your users a label or a logical group. This assignment could
> > be done manually or even automatically depending on:
> >
> >     a) default group where all users are in
> >     b) the identity store from where users are fetched
> >     c) based on the user's email (domain)
> >     d) anything else that makes sense
> >
> > 3) Create a realm and specify which users should belong to a realm based
> on
> > these labels or groups. A realm should be able to have users with
> different
> > labels/groups.
> >
> > The realm definition/configuration would not change much as it stands
> > today. Each of them would still have their own way of managing realm
> > specific groups and roles.
> >
> > Regards.
> > Pedro Igor
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> --
>
> abstractj
>