[keycloak-user] Securing multitenant microservices

Pavel Micka Pavel.Micka at zoomint.com
Wed Feb 6 11:23:18 EST 2019


Unfortunatelly its not possible in our case, as we also have per-tenant ability to use different user sources - both sychronization and SSO federation - as we generally import the users from external systems (telephony platforms, active directories...); or in other words, we do not have (almost any) local users.

Best regards, 


// but yeah, this strategy would work nicely, if we did not have these tenant-specific additional contraints

-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro> 
Sent: Wednesday, February 6, 2019 4:42 PM
To: Pavel Micka <Pavel.Micka at zoomint.com>; keycloak-user at lists.jboss.org
Cc: Hariprasad N <hariprasad.n at ramyamlab.com>
Subject: Re: [keycloak-user] Securing multitenant microservices

Hello Pavel and Hariprasad,

As an alternative, you can do everything in one realm. There is a trick to implement ad-hoc "multi-tenancy" within one realm using OpenID Connect scope parameter in the form of "scope=openid tenant:XXX". Using tenant ID, you can dynamically brand account and email themes, propagate it to the tokens, use it in dynamic authorization policies etc. I'm currently writing a detailed article describing this approach.

With this, you will have a shared set of clients, UMA, policies etc. However you will need to implement proper separation of users, e.g. using groups or user attributes.

Feel free to ask any questions on this,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2019-02-06 at 10:39 +0000, Pavel Micka wrote:
> Hi,
> We are currently planning how to implement Keycloak to our solution. Our solution is a multitenant application composed of many microservices with fronting API and React.js clients. Our tenants are all using the same instances of the microservices (those are shared).
> We will go with implicit token flow, passing the JWT token through all the dependencies to achieve defense-in-depth (aka: the services do the authorization).
> So as we'll have many tenants we will also have many realms. Because clients are bound to individual realm, we will need to duplicate (re-register through dynamic registration every client) many times. For the worse, we will probably also use UMA, which is bound to the client, hence the privileges will be duplicated as well...
> Now the questions:
> 1)      Is it somehow possible to inherit or template the definition of the realm, so we would only change the "master realm template" and the changes would propagate to all the individual tenant realms
> 2)      If this is not possible, what is the recommended way to support this scenario with many tenants and many services? Especially when we expect that the clients will evolve, hence updating all the clients+uma in many realms may be very painful...
> Thanks for your advice!
> Pavel
> // PS: if there is any good article or presentation how to achieve this, goal, please send it to me. I will be very grateful.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list