[keycloak-user] Multitenancy for WAR

[Travis De Silva]

Hi Bill,

Sorry for missing your ping as this is something that we definitely need. I
was going down the keycloak.js path (since we use AngularJS as our UI
layer) but doing it on the server side is so much more elegant.

Picking the realm name from the URI is the way to go. Maybe we have it as a
query parameter rather than within the path as then it is less invasive for
the war application.

I don't understand the keycloak code base enough to comment on how we can
deploy the new AdapterDeploymentContext but what if this feature is plugged
into the current AdapterDeploymentContext and this is a feature of the core
product?

Also with regard to getting realm information from the server using a shared
client secret, or public clients, another way to do this might be to
provide an alternate way to pick the keycloak.json file by storing it
outside the war in the file system and then based on the realm name in the
uri, pick the corresponding keycloak.json file and run the KeycloakDeployment.
We can name the the files as keycloak-{realmname}.json

Note we can keep the current functionality where it can pick it from within
the war but if the file is missing, currently its throwing an exception.
Maybe before we throw the exception, we also check the file system as well.

Then maybe we don't need to load this on request but can have a directory
scanner and whenever a new file is added or removed, it will automatically
pick it up. Sort of how the JBoss/Wildfly deployment scanner works. On each
request of course it will need to pick the correct realm to perform the
authentication.

This might be more elegant but once again I don't know enough of the core
keycloak code to comment if doing this is more complex than the other
option.

Obviously these changes will not go into 1.0 release but a subsequent
release (hopefully the first beta release after 1.0 :)

Therefore it might be good to give some thought and get this right. For me
this and the multi-lingual are the two key items that we need to tick off
to be able to use this in a multi tenancy environment.

Keen to know your thoughts.

Cheers
Travis




On Thu, Sep 4, 2014 at 11:15 PM, Bill Burke <bburke at redhat.com> wrote:

> Travis, I did do most of the work for this.  I think I pinged you to see
> if you still wanted the feature, but never followed through.  I'm sorry.
>
> All this would require a shared client secret, or public clients.  It
> would require you to extract the realm name somehow based on the current
> HTTP request.  Probably a URI pattern.
>
> There is an AdapterDeploymentContext class.  This class has a method:
>
> KeycloakDeployment resolveDeployment(HttpFacade)
>
> This method get's called every request.  You would extend this class and
> override resolveDeployment and create (and then cache) your
> KeycloakDeployment based on the incoming HTTP request.
>
> The only problem is that the current code has no way for you to plug in
> a new implementation of the AdapterDeploymentContext.
>
> On 9/4/2014 2:36 AM, Travis De Silva wrote:
> > Hi Stian,
> >
> > You proposed solution would not cover the use case where we can create
> > tenants at runtime as the realm config in the keycloak.json would be
> > hard coded into the war.
> >
> > I had discussed this identical use case a while ago on this forum and
> > Bill was planning to refactor the adapters to support this use case.
> > Unfortunately he got caught up in other tasks and was not able to
> > proceed on this.
> >
> > The discussion thread is here
> > http://lists.jboss.org/pipermail/keycloak-user/2014-March/000062.html
> >
> > Basically what I believe Bill suggested which would meet this use case
> > is to:
> >
> >  1. Have a shared secret between clients for all realms.
> >  2. The adapter would just extract the realm name from the request,
> >     invoke on the keycloak server to get the public information about
> >     the realm (i.e. public key) and then cache the information locally.
> >
> > The key bit here is extracting the realm name from the request and then
> > pulling the realm info from the keycloak server.
> >
> > I had a look at the keycloak source code and I believe the magic happens
> > in the KeycloakServletExtension class under the
> > org.keycloak.adapters.undertow package for my use case (since I deploy
> > it on wildfly)
> >
> > What I have got stumped is that this class gets loaded when my war is
> > deployed and I am wondering how I can do it per request (if the info is
> > not already cached locally)
> >
> > Maybe with the imminent release of 1.0 (btw congrats for the great work
> > to everyone in the team and for Bill and your leadership), maybe we
> > should start thinking about this multi tenancy use case to be included
> > in future releases.
> >
> > I believe that SaaS models are going to be popular and having this
> > feature added will make keycloak a major player in this space.
> >
> > Cheers
> > Travis
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140905/42e0b074/attachment-0001.html