[keycloak-user] Securing multitenant microservices

Pedro Igor Silva psilva at redhat.com
Wed Feb 6 05:50:50 EST 2019

On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka at zoomint.com> wrote:

> Hi,
> We are currently planning how to implement Keycloak to our solution. Our
> solution is a multitenant application composed of many microservices with
> fronting API and React.js clients. Our tenants are all using the same
> instances of the microservices (those are shared).
> We will go with implicit token flow, passing the JWT token through all the
> dependencies to achieve defense-in-depth (aka: the services do the
> authorization).
> So as we'll have many tenants we will also have many realms. Because
> clients are bound to individual realm, we will need to duplicate
> (re-register through dynamic registration every client) many times. For the
> worse, we will probably also use UMA, which is bound to the client, hence
> the privileges will be duplicated as well...
> Now the questions:
> 1)      Is it somehow possible to inherit or template the definition of
> the realm, so we would only change the "master realm template" and the
> changes would propagate to all the individual tenant realms

This is not possible. However, we have discussed a similar solution when we
were working with Openshift Integration. I can't remember how we called
this at that time, Stian should remember ....

> 2)      If this is not possible, what is the recommended way to support
> this scenario with many tenants and many services? Especially when we
> expect that the clients will evolve, hence updating all the clients+uma in
> many realms may be very painful...

I don't think you have other option. Maybe you can make the job less
painful by using our APIs to help provisioning new tenants with the
"shared" configuration.

> Thanks for your advice!
> Pavel
> // PS: if there is any good article or presentation how to achieve this,
> goal, please send it to me. I will be very grateful.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list