[keycloak-user] Securing multitenant microservices

Hariprasad N hariprasad.n at ramyamlab.com
Wed Feb 6 06:26:25 EST 2019 

Thanks.
I already have this in my mind, I thought you will give another solution,
any way thanks.
Is there any plan in future to create shared clients and roles across
multiple realm.
I have asked this requirement long back.

Regards
Hari Prasad N

On Wed, Feb 6, 2019 at 4:50 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Keycloak provides an API which is basically the same that is backing our
> administration console. You can basically manage everything from it.
>
> You could maybe start by this part of the docs [1]. If you are using Java,
> you can use a client library.
>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#admin-rest-api
>
> On Wed, Feb 6, 2019 at 9:15 AM Hariprasad N <hariprasad.n at ramyamlab.com>
> wrote:
>
>> Hi Pedro Igor Silva,
>>
>> We also have similar requirement. you said
>>
>>
>> *I don't think you have other option. Maybe you can make the job
>> lesspainful by using our APIs to help provisioning new tenants with
>> the"shared" configuration*.
>>
>> Can you tell me how with examples if possible.
>>
>> On Wed, Feb 6, 2019 at 4:27 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> On Wed, Feb 6, 2019 at 8:41 AM Pavel Micka <Pavel.Micka at zoomint.com>
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > We are currently planning how to implement Keycloak to our solution.
>>> Our
>>> > solution is a multitenant application composed of many microservices
>>> with
>>> > fronting API and React.js clients. Our tenants are all using the same
>>> > instances of the microservices (those are shared).
>>> > We will go with implicit token flow, passing the JWT token through all
>>> the
>>> > dependencies to achieve defense-in-depth (aka: the services do the
>>> > authorization).
>>> >
>>> > So as we'll have many tenants we will also have many realms. Because
>>> > clients are bound to individual realm, we will need to duplicate
>>> > (re-register through dynamic registration every client) many times.
>>> For the
>>> > worse, we will probably also use UMA, which is bound to the client,
>>> hence
>>> > the privileges will be duplicated as well...
>>> >
>>> > Now the questions:
>>> >
>>> > 1)      Is it somehow possible to inherit or template the definition of
>>> > the realm, so we would only change the "master realm template" and the
>>> > changes would propagate to all the individual tenant realms
>>> >
>>>
>>> This is not possible. However, we have discussed a similar solution when
>>> we
>>> were working with Openshift Integration. I can't remember how we called
>>> this at that time, Stian should remember ....
>>>
>>>
>>> >
>>> > 2)      If this is not possible, what is the recommended way to support
>>> > this scenario with many tenants and many services? Especially when we
>>> > expect that the clients will evolve, hence updating all the
>>> clients+uma in
>>> > many realms may be very painful...
>>> >
>>>
>>> I don't think you have other option. Maybe you can make the job less
>>> painful by using our APIs to help provisioning new tenants with the
>>> "shared" configuration.
>>>
>>>
>>> >
>>> > Thanks for your advice!
>>> >
>>> > Pavel
>>> >
>>> >
>>> > // PS: if there is any good article or presentation how to achieve
>>> this,
>>> > goal, please send it to me. I will be very grateful.
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>> --
>> Thanks & Regards,
>>
>> Hari Prasad N
>> Senior Software Engineer
>> -------------------------------------------------
>> Ramyam Intelligence Lab Pvt. Ltd.,
>> Part of Arvato
>> 3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
>> Bangalore – 560001, Karnataka, India.
>>
>> Phone: +91 80 67269266
>> Mobile: +91 7022156319
>> E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
>> *www.ramyamlab.com* <http://www.ramyamlab.com/>
>>
>

-- 
Thanks & Regards,

Hari Prasad N
Senior Software Engineer
-------------------------------------------------
Ramyam Intelligence Lab Pvt. Ltd.,
Part of Arvato
3rd & 5th Floors, Mithra Towers, 10/4, Kasturba Road,
Bangalore – 560001, Karnataka, India.

Phone: +91 80 67269266
Mobile: +91 7022156319
E-Mail: *hariprasad.n at ramyamlab.co <http://ramyamlab.co>m*
*www.ramyamlab.com* <http://www.ramyamlab.com/>

More information about the keycloak-user mailing list