[keycloak-user] Dynamic multi-realm authentication with Keycloak

Michel Fleur m.fleur at topdesk.com
Mon Mar 7 07:21:16 EST 2016


We are building a system with multiple services that service a set of 
user communities. Each user belongs only to one community. Each service 
potentially services all communities. Both the set of services and set 
of communities is dynamic. Each community can configure its own 
authentication scheme and UI theme. Login names - if used by the 
authentication scheme - are not necessarily unique across communities. 
The number of communities will be in the order of thousands.

As far as I can see, separation of authentication and UI themes requires 
the mapping of communities on their own dedicated Keycloak realms. 
That's okay. Our services will know against what realm to authenticate a 

Naturally, I looked into you multi-tenant example (1). It does not seem 
trivial to let a service authenticate to just any realm. It doesn't feel 
right to script-or-service a lot of JSON around for each time a service 
(instance) starts or a community gets added or removed.

Is there a way to make this more dynamic? (2)  It can very well be that 
I bluntly overlook something!

GreetZ (and thanks in advance),

Example multi-tenant service using Keycloak: 
In our case, tenant means community.

The best I can come up with is to have each service use the REST API to 
get the realm information before the user is actually authenticated 
against it. However, can a service that is not yet registered with a 
realm also access that realm?

More information about the keycloak-user mailing list