[keycloak-dev] Users and Realms

Pedro Igor Silva psilva at redhat.com
Mon May 20 08:03:38 EDT 2019 

Sounds like a good plan to me ...

On Mon, May 20, 2019 at 6:31 AM Stian Thorgersen <sthorger at redhat.com>
wrote:

> For the new store I was actually thinking that we could completely detach
> users from the realm. Rather than have a user store as part of the realm we
> would just have an optional Keycloak user store that could be attached to a
> realm in the same was as any other user store.
>
> We shouldn't make any such big changes to the current store though and
> rather reserve that to the next store.
>
> On Thu, 16 May 2019 at 17:56, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi,
>>
>> As you know, currently users belong to a realm and as such, you can't
>> share
>> them across different realms. We always had people looking for
>> alternatives
>> about how to solve this problem where all the available options have their
>> pros and cons.
>>
>> I would like to see what you think about decoupling users from realms in a
>> way that user federation and management are completely decoupled from
>> realms so that users (or group of users) can be *associated* with realms.
>>
>> As an example, here is how you would configure users and realms in
>> Keycloak:
>>
>> 1) Configure your identity stores/user federation from where users will be
>> fetched. Or create users in Keycloak.
>>
>> 2) Assign to your users a label or a logical group. This assignment could
>> be done manually or even automatically depending on:
>>
>>     a) default group where all users are in
>>     b) the identity store from where users are fetched
>>     c) based on the user's email (domain)
>>     d) anything else that makes sense
>>
>> 3) Create a realm and specify which users should belong to a realm based
>> on
>> these labels or groups. A realm should be able to have users with
>> different
>> labels/groups.
>>
>> The realm definition/configuration would not change much as it stands
>> today. Each of them would still have their own way of managing realm
>> specific groups and roles.
>>
>> Regards.
>> Pedro Igor
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

More information about the keycloak-dev mailing list