Multi-tenant, multi-product platform
142 views
Skip to first unread message
Antonio Portolan
Sep 26, 2023, 8:14:25 AM9/26/23
to Keycloak User
Dear all,
Firstly, I would like to apologize if I'm asking a question that has already been asked a few times (at least by the search results), but I'm unable to draw a definite conclusion from the answers... We want to implement Keycloak as our authentication and authorization mechanism, but we also have doubts about how to do it. We are building a platform that contains multiple applications (let's call them our products). These products must have the ability to serve multiple customers (tenants), and each tenant can have any number of users. One of our requirements is that one user could theoretically log in to all product instances, so the users should be unique across the whole platform. As I understand it, if we set up our Keycloak instance in a way that every client has its own realm (as per the current documentation), we would lose the ability to have one login for the whole platform. The same situation would occur if we separate realms by product. I have found this solution, which seems to fit our case(at least in some form): https://github.com/p2-inc/keycloak-orgs. This model customizes Keycloak by adding organizations into a single realm, but I'm concerned that these customizations could prove to be hard to maintain in the future. Is there another solution in which a user doesn't have to change their data across all realms and are there mechanisms which allow user to change data in one place by propagating the action across all the realms? Also, are there any security implications when using multiple tenants in single realm?
Many thanks.
Firstly, I would like to apologize if I'm asking a question that has already been asked a few times (at least by the search results), but I'm unable to draw a definite conclusion from the answers... We want to implement Keycloak as our authentication and authorization mechanism, but we also have doubts about how to do it. We are building a platform that contains multiple applications (let's call them our products). These products must have the ability to serve multiple customers (tenants), and each tenant can have any number of users. One of our requirements is that one user could theoretically log in to all product instances, so the users should be unique across the whole platform. As I understand it, if we set up our Keycloak instance in a way that every client has its own realm (as per the current documentation), we would lose the ability to have one login for the whole platform. The same situation would occur if we separate realms by product. I have found this solution, which seems to fit our case(at least in some form): https://github.com/p2-inc/keycloak-orgs. This model customizes Keycloak by adding organizations into a single realm, but I'm concerned that these customizations could prove to be hard to maintain in the future. Is there another solution in which a user doesn't have to change their data across all realms and are there mechanisms which allow user to change data in one place by propagating the action across all the realms? Also, are there any security implications when using multiple tenants in single realm?
Many thanks.
Abdessamad Temmar
Sep 29, 2023, 12:23:25 PM9/29/23
to Antonio Portolan, Keycloak User
Hello,
Having a tenant for each client/customer can provide more isolation in term of users data, but it will be more complicated to manage as the number of application grows.
Regarding the products/application isolation, it's important to add the audience claim to control on which resource servers your access tokens will be used.
Kind regards,
Abdessamad
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/a417abca-2784-4e4d-9d71-93b30eb3b618n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages