[keycloak-dev] Users and Realms

Stian Thorgersen sthorger at redhat.com
Mon May 20 05:31:17 EDT 2019


For the new store I was actually thinking that we could completely detach
users from the realm. Rather than have a user store as part of the realm we
would just have an optional Keycloak user store that could be attached to a
realm in the same was as any other user store.

We shouldn't make any such big changes to the current store though and
rather reserve that to the next store.

On Thu, 16 May 2019 at 17:56, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> As you know, currently users belong to a realm and as such, you can't share
> them across different realms. We always had people looking for alternatives
> about how to solve this problem where all the available options have their
> pros and cons.
>
> I would like to see what you think about decoupling users from realms in a
> way that user federation and management are completely decoupled from
> realms so that users (or group of users) can be *associated* with realms.
>
> As an example, here is how you would configure users and realms in
> Keycloak:
>
> 1) Configure your identity stores/user federation from where users will be
> fetched. Or create users in Keycloak.
>
> 2) Assign to your users a label or a logical group. This assignment could
> be done manually or even automatically depending on:
>
>     a) default group where all users are in
>     b) the identity store from where users are fetched
>     c) based on the user's email (domain)
>     d) anything else that makes sense
>
> 3) Create a realm and specify which users should belong to a realm based on
> these labels or groups. A realm should be able to have users with different
> labels/groups.
>
> The realm definition/configuration would not change much as it stands
> today. Each of them would still have their own way of managing realm
> specific groups and roles.
>
> Regards.
> Pedro Igor
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list