[keycloak-user] Securing multitenant microservices

Hariprasad N hariprasad.n at ramyamlab.com
Wed Feb 6 06:14:49 EST 2019


Hi Pedro Igor Silva,

We also have similar requirement. you said


*I don't think you have other option. Maybe you can make the job
lesspainful by using our APIs to help provisioning new tenants with
the"shared" configuration*.

Can you tell me how with examples if possible.

On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka at zoomint.com>
> wrote:
>
> > Hi,
> >
> > We are currently planning how to implement Keycloak to our solution. Our
> > solution is a multitenant application composed of many microservices with
> > fronting API and React.js clients. Our tenants are all using the same
> > instances of the microservices (those are shared).
> > We will go with implicit token flow, passing the JWT token through all
> the
> > dependencies to achieve defense-in-depth (aka: the services do the
> > authorization).
> >
> > So as we'll have many tenants we will also have many realms. Because
> > clients are bound to individual realm, we will need to duplicate
> > (re-register through dynamic registration every client) many times. For
> the
> > worse, we will probably also use UMA, which is bound to the client, hence
> > the privileges will be duplicated as well...
> >
> > Now the questions:
> >
> > 1)      Is it somehow possible to inherit or template the definition of
> > the realm, so we would only change the "master realm template" and the
> > changes would propagate to all the individual tenant realms
> >
>
> This is not possible. However, we have discussed a similar solution when we
> were working with Openshift Integration. I can't remember how we called
> this at that time, Stian should remember ....
>
>
> >
> > 2)      If this is not possible, what is the recommended way to support
> > this scenario with many tenants and many services? Especially when we
> > expect that the clients will evolve, hence updating all the clients+uma
> in
> > many realms may be very painful...
> >
>
> I don't think you have other option. Maybe you can make the job less
> painful by using our APIs to help provisioning new tenants with the
> "shared" configuration.
>
>
> >
> > Thanks for your advice!
> >
> > Pavel
> >
> >
> > // PS: if there is any good article or presentation how to achieve this,
> > goal, please send it to me. I will be very grateful.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>


More information about the keycloak-user mailing list