[keycloak-user] Multi tenancy with realms
Dana Danet
Dana.Danet at Evisions.com
Tue Apr 18 18:28:04 EDT 2017
Hello Cesar,
We also struggled with these decisions in our first implementation. I am just now starting to think about transitioning to a ‘Keycloak' multi-tenant architecture.
Currently, we are running a Spring Cloud Microservice Architecture fronted by several SPA sites leveraging a single realm Keycloak instance. This is done by storing a user attribute ‘tenant_id’ when creating a user which is done by a user microservice that delegates to Keycloak. In fact Keycloak is only directly accessed as part of the login flow. User creation is done via an admin SPA web module and user-service.
This design has brought a few challenges, such as restricting resources per tenant, paging users across tenant, etc (need for a better admin api here). Fortunately by considering Keycloak as just another service within our cloud platform and proxying through a user or tenant service, we have reduced that tight coupling to the Keycloak rest API.
No performance issues yet, but one memory leak was found with the way Keycloak logs events with Spring Framework.
-dana
On Apr 13, 2017, at 1:19 AM, Mailing lists <lists at m3b.net<mailto:lists at m3b.net>> wrote:
From the thread you linked to it looks like someone already laid out some ideas where optimization could work. (Appears to be something with loading reals, caching, and flushing).
Furthermore, it would seem that a slow startup phase is (or should be) an infrequent event. As well as administration. These are not show-stoppers for me.
If anything, perhaps a better work-around would be to architect a deployment where keycloak lives closer to the tenant application instances. Simply treat the keycloak as a microservice that is bundled with your apps, and have it automated to a point where it is more "code as configuration" rather than manually logging into keycloak and clicking around?
________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Cesar Salazar <csalazar at devsu.com<mailto:csalazar at devsu.com>>
Sent: Wednesday, April 12, 2017 6:39:44 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Multi tenancy with realms
Hi. I'm looking to use keycloak for a SASS service, using realms for
multi-tenancy. There's a discussion on a previous thread about performance
issues when there are lots of realms:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/008061.html
I wanted to ask if there is some work done in that direction. If not, where
can I start looking at so I can contribute?
Also, I was wondering what would be the implications of using a custom user
attribute to "emulate" multi-tenancy. (I would add a custom attribute, and
make my microservices validate against it). I know it's not the ideal way,
but would it be possible? Do you know of any considerations I should take
into account?
Thanks!
--
*Cesar Salazar*
CTO - DEVSU | www.devsu.com<http://www.devsu.com/><http://www.devsu.com<http://www.devsu.com/>>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list