[keycloak-user] Securing multitenant microservices
Pedro Igor Silva
psilva at redhat.com
Wed Feb 6 06:19:58 EST 2019
Keycloak provides an API which is basically the same that is backing our
administration console. You can basically manage everything from it.
You could maybe start by this part of the docs [1]. If you are using Java,
you can use a client library.
[1]
https://www.keycloak.org/docs/latest/server_development/index.html#admin-rest-api
On Wed, Feb 6, 2019 at 9:15 AM Hariprasad N <hariprasad.n at ramyamlab.com>
wrote:
> Hi Pedro Igor Silva,
>
> We also have similar requirement. you said
>
>
> *I don't think you have other option. Maybe you can make the job
> lesspainful by using our APIs to help provisioning new tenants with
> the"shared" configuration*.
>
> Can you tell me how with examples if possible.
>
> On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka at zoomint.com>
>> wrote:
>>
>> > Hi,
>> >
>> > We are currently planning how to implement Keycloak to our solution. Our
>> > solution is a multitenant application composed of many microservices
>> with
>> > fronting API and React.js clients. Our tenants are all using the same
>> > instances of the microservices (those are shared).
>> > We will go with implicit token flow, passing the JWT token through all
>> the
>> > dependencies to achieve defense-in-depth (aka: the services do the
>> > authorization).
>> >
>> > So as we'll have many tenants we will also have many realms. Because
>> > clients are bound to individual realm, we will need to duplicate
>> > (re-register through dynamic registration every client) many times. For
>> the
>> > worse, we will probably also use UMA, which is bound to the client,
>> hence
>> > the privileges will be duplicated as well...
>> >
>> > Now the questions:
>> >
>> > 1) Is it somehow possible to inherit or template the definition of
>> > the realm, so we would only change the "master realm template" and the
>> > changes would propagate to all the individual tenant realms
>> >
>>
>> This is not possible. However, we have discussed a similar solution when
>> we
>> were working with Openshift Integration. I can't remember how we called
>> this at that time, Stian should remember ....
>>
>>
>> >
>> > 2) If this is not possible, what is the recommended way to support
>> > this scenario with many tenants and many services? Especially when we
>> > expect that the clients will evolve, hence updating all the clients+uma
>> in
>> > many realms may be very painful...
>> >
>>
>> I don't think you have other option. Maybe you can make the job less
>> painful by using our APIs to help provisioning new tenants with the
>> "shared" configuration.
>>
>>
>> >
>> > Thanks for your advice!
>> >
>> > Pavel
>> >
>> >
>> > // PS: if there is any good article or presentation how to achieve this,
>> > goal, please send it to me. I will be very grateful.
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
> Thanks & Regards,
>
> Hari Prasad N
> Senior Software Engineer
> -------------------------------------------------
> Ramyam Intelligence Lab Pvt. Ltd.,
> Part of Arvato
> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
> Bangalore – 560001, Karnataka, India.
>
> Phone: +91 80 67269266
> Mobile: +91 7022156319
> E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>
More information about the keycloak-user
mailing list