[keycloak-user] Multi realms approach

Michael Liebe Michael.Liebe at ist.com
Sat Sep 30 14:08:03 EDT 2017


Yes, the tokens are still realm specific.  This is how the setup basically works:
- The user requests a resource from application A, gets redirected to Keycloak – realm A - which, in turn, redirects to the IdP.
After authentication at the IdP the user is redirected back to Keycloak which issues the token for the application within realm A.
- Then, the user switches to application B. The user is again redirected to Keycloak - but now to realm B. Since the user has no active session here, the user is furtherly redirected to the IdP.
Since the user already has an active session at the IdP the request is redirected directly, i.e. without user interaction, back to Keycloak which in turn issues a token within realm B to application B.


From: Stephen Henrie <stephen at saasindustries.com>
Date: Saturday, 30 September 2017 at 19:34
To: Michael Liebe <Michael.Liebe at ist.com>
Cc: Matthias ANGLADE <manglade at nextoo.fr>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Multi realms approach

I am curious....how does this address the issue of requiring users to re-login again to switch realms?

I ask, as this is a very common need and since the access token is specific to a keycloak realm, I don't see how this would address that situation without Keycloak supporting "trusted realms".
Thanks
Stephen


More information about the keycloak-user mailing list