[keycloak-user] Limiting (network-based) access to different realms

Bill Burke bburke at redhat.com
Fri Apr 1 09:16:52 EDT 2016


You could write an authenticator plugged in via the auth SPI that checks 
client IP and port and not allow connections based on that.

On 4/1/2016 5:46 AM, Guus der Kinderen wrote:
> Hello,
>
> We're working on a setup where we have two realms, a 'master' realm 
> that we use for administration, and another realm that is 
> public-facing, providing service to our end-users.
>
> We'd like to be able to prevent access to the master realm for the 
> general public. We do not want, for example, to have the general 
> public be able to access the login page for the master realm, but we 
> would like them to be able to use to login page for the other realm. 
> Things will probably get interesting in the REST interface in that sense.
>
> Ideally, we would expose each realm on a different network endpoint 
> (at the very least, use different TCP ports for each realm). We prefer 
> to avoid a solution that relies on URL / path-based filtering.
>
> Can Keycloak facilitate this? Is it possible to limit exposure of a 
> particular realm to a specific network endpoint?
>
> Kind regards,
>
>   Guus
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/ad2e8b2f/attachment.html 


More information about the keycloak-user mailing list