[keycloak-user] Keycloak support for one realm on a domain name while serving on multiple domains simultaneously

Yervand Aghababyan yervand.aghababyan at sflpro.com
Thu Apr 11 13:14:00 EDT 2019 

I've also posted this question on stackoverflow. So if you want to you can
answer there so it'll be easier to find for anyone looking. Here it is:
https://stackoverflow.com/questions/55634962/keycloak-support-for-one-realm-on-a-domain-name-while-serving-on-multiple-domain


I'm building an ecosystem of applications on kubernetes with keycloak as
authentication/authorization provider. I am(or probably was) planning for
everything to be integrated with it via OpenId(OAuth2) and for user
credentials and other private information never to leave the keycloak
instance in an unencrypted form.

I was trying to implement the whole authentication scheme with the
following configurations in mind.
Realms

myservice: Realm containing the public and back-office users of my application.
           All microservices that I have are authenticating users
against this realm.

master:    Contains admins, keycloak administrators and other resources which
           should not be ever exposed to the public or intranet users.
No microservice
           ever performs authentication on this realm.

Domains

 1. domain: account.myservice.com

    access: public
    cors: allow requests from app.myservice.com

    config: kubernetes-ingress
    exposes: configured themes to support login, registration, etc.. Endpoints
        for public front-end application token validation
    description: Only exposes access to a realm called "myservice" in keycloak.
        No users from other realms can login or interact.

2.  domain: account.internal.myservice.com

    access: intranet/admins
    cors: allow requests from back-office.internal.myservice.com

    config: kubernetes-ingress
    exposes: configured themes to support login, registration, etc.. Endpoints
        for back-end front-end application token validation
    description: Exposes all the realms and provides access to keycloak
        administrative UI.

3.  domain: keycloak (keycloak.default.svc.cluster.local)
    access: cluster-internal
    cors: none
    config: kubernetes service, visible only inside the cluster
    exposes: endpoints for back-end application token validation
    description: Only exposes realm "myservice" and is used for other
services to
        validate user tokens and similar stuff.

I did come across a number of issues when trying to implement the above
configuration scheme. If I do SSL termination inside Keycloak I won't be
able to configure the different domains via a reverse proxy or similar
approach which, in turn, means that Keycloak should provide a feature to
listen on a separate SSL encrypted port and only make one realm available
there. Which it does not. So do I want something weird here? Are the best
practices different from what I want?

-- 
Best Regards,
Yervand

More information about the keycloak-user mailing list