[keycloak-user] Securing multitenant microservices
Pedro Igor Silva
psilva at redhat.com
Wed Feb 6 05:50:50 EST 2019
On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka at zoomint.com> wrote:
> Hi,
>
> We are currently planning how to implement Keycloak to our solution. Our
> solution is a multitenant application composed of many microservices with
> fronting API and React.js clients. Our tenants are all using the same
> instances of the microservices (those are shared).
> We will go with implicit token flow, passing the JWT token through all the
> dependencies to achieve defense-in-depth (aka: the services do the
> authorization).
>
> So as we'll have many tenants we will also have many realms. Because
> clients are bound to individual realm, we will need to duplicate
> (re-register through dynamic registration every client) many times. For the
> worse, we will probably also use UMA, which is bound to the client, hence
> the privileges will be duplicated as well...
>
> Now the questions:
>
> 1) Is it somehow possible to inherit or template the definition of
> the realm, so we would only change the "master realm template" and the
> changes would propagate to all the individual tenant realms
>
This is not possible. However, we have discussed a similar solution when we
were working with Openshift Integration. I can't remember how we called
this at that time, Stian should remember ....
>
> 2) If this is not possible, what is the recommended way to support
> this scenario with many tenants and many services? Especially when we
> expect that the clients will evolve, hence updating all the clients+uma in
> many realms may be very painful...
>
I don't think you have other option. Maybe you can make the job less
painful by using our APIs to help provisioning new tenants with the
"shared" configuration.
>
> Thanks for your advice!
>
> Pavel
>
>
> // PS: if there is any good article or presentation how to achieve this,
> goal, please send it to me. I will be very grateful.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list