[keycloak-user] Multitenancy for WAR

Bill Burke bburke at redhat.com
Sun Jun 1 07:28:14 EDT 2014

We already support some form of multi-tenancy.  One keycloak server can 
serve up multiple realms.

For multitenant-apps was thinking of a app or service that needs to 
support multiple isolated realms.

For bearer-only services, there would just be a list of realms that are 
supported and the keycloak adapter would just look into the bearer token 
to know which realm to validate the token with.  For browser apps, they 
need to be able to know which realm you are authenticating against, so I 
thought the desired realm would be extracted from the URL.

I balk at your use-case because I don't like the idea of cross-realm users.

On 6/1/2014 4:02 AM, Nils Preusker wrote:
> The only issue is that we might need to be able to assign different
> roles to the same user in different application instances.

What you could do, is not use the keycloak adapter and just hand code 
your interactions via our oauth client api.  Then your application 
service could figure out which realm and application instance the user 
was logging however it wanted and and pass that information along when 
you start the oauth protocol flow.  Following me?

Bill Burke
JBoss, a division of Red Hat

More information about the keycloak-user mailing list