[keycloak-user] Keycloak support for one realm on a domain name while serving on multiple domains simultaneously
Yervand Aghababyan
yervand.aghababyan at sflpro.com
Fri Apr 12 09:00:03 EDT 2019
A follow-up to better explain what I want.
What's the best practice to create a separate domain or hostname which will
only be able to authenticate users of only one custom Keycloak realm? So I
do not expose the login form for the master realm to the public. Keeping
admins in the master realm and end-users in a custom realm.
On Thu, Apr 11, 2019 at 9:14 PM Yervand Aghababyan <
yervand.aghababyan at sflpro.com> wrote:
> I've also posted this question on stackoverflow. So if you want to you can
> answer there so it'll be easier to find for anyone looking. Here it is:
> https://stackoverflow.com/questions/55634962/keycloak-support-for-one-realm-on-a-domain-name-while-serving-on-multiple-domain
>
>
> I'm building an ecosystem of applications on kubernetes with keycloak as
> authentication/authorization provider. I am(or probably was) planning for
> everything to be integrated with it via OpenId(OAuth2) and for user
> credentials and other private information never to leave the keycloak
> instance in an unencrypted form.
>
> I was trying to implement the whole authentication scheme with the
> following configurations in mind.
> Realms
>
> myservice: Realm containing the public and back-office users of my application.
> All microservices that I have are authenticating users against this realm.
>
> master: Contains admins, keycloak administrators and other resources which
> should not be ever exposed to the public or intranet users. No microservice
> ever performs authentication on this realm.
>
> Domains
>
> 1. domain: account.myservice.com
>
> access: public
> cors: allow requests from app.myservice.com
>
> config: kubernetes-ingress
> exposes: configured themes to support login, registration, etc.. Endpoints
> for public front-end application token validation
> description: Only exposes access to a realm called "myservice" in keycloak.
> No users from other realms can login or interact.
>
> 2. domain: account.internal.myservice.com
>
> access: intranet/admins
> cors: allow requests from back-office.internal.myservice.com
>
> config: kubernetes-ingress
> exposes: configured themes to support login, registration, etc.. Endpoints
> for back-end front-end application token validation
> description: Exposes all the realms and provides access to keycloak
> administrative UI.
>
> 3. domain: keycloak (keycloak.default.svc.cluster.local)
> access: cluster-internal
> cors: none
> config: kubernetes service, visible only inside the cluster
> exposes: endpoints for back-end application token validation
> description: Only exposes realm "myservice" and is used for other services to
> validate user tokens and similar stuff.
>
> I did come across a number of issues when trying to implement the above
> configuration scheme. If I do SSL termination inside Keycloak I won't be
> able to configure the different domains via a reverse proxy or similar
> approach which, in turn, means that Keycloak should provide a feature to
> listen on a separate SSL encrypted port and only make one realm available
> there. Which it does not. So do I want something weird here? Are the best
> practices different from what I want?
>
> --
> Best Regards,
> Yervand
>
--
Best Regards,
Yervand
More information about the keycloak-user
mailing list