Keycloak group based multitenancy

denzeloff · December 2, 2022, 11:34am

Hi my team is developing multitenant microservices system.
After watching Bilding an effective identity and access management architecture with Keycloak - YouTube we are curious wheter there is a better way to handle described below use case.
As an user(with some role) I can manage(make operations on tenants data) two tenants.
Example
As an user I would like to change company name.
Current approach
In microservice A we have an endpoint to change company name, front end application makes a rest call passing in header tenant-id, so at beggining our microservice compare wheter the given token contains such attribute like tenant-id and value matches requested one.

Is it possible to configure somehow keycloak so that check will do authorization-server?
On video Sebastian shows example with Role but this is really simple example.

Carl · December 2, 2022, 6:13pm

I skimmed the video but didn’t see the discussion on tenants (it’s 52m). Are you able to support a realm-per-tenant model? Then you can give each tenant admin access to create new clients and users.

denzeloff · December 2, 2022, 6:38pm

As I said the video shows simple use case, my is a little bit more complex, video does not address anything about multitenancy. The problem is that we cannot support realm-per-tenant model There is a requirement that some users have access to both tenants, you know regular users on steroids.

Topic		Replies	Views
Single realm, multi-tenant, tenant scoped role setup advice Getting advice multi-tenancy	22	473	August 26, 2024
Can multi-tenancy in Keycloak be done within a single realm? Getting advice	0	722	January 14, 2020
Multi tenancy authorization advice Getting advice	0	469	May 3, 2021
Multi-Tenancy Web App with Keycloak Getting advice	7	6865	November 7, 2024
Architecture ideas on multi-tenancy at customer permisses Securing applications	8	6642	June 18, 2022

Keycloak group based multitenancy

Related topics