Realm-based multi-tenancy and fine-grained authorization for resources

NoahNL · November 28, 2023, 1:44pm

We are using Keycloak for managing SSO for our multi-tenancy application, where each tenant has their own realm. What would the approach be for securing our individual microservices?

My idea is to introduce a new realm where I add clients where each client corresponds to a microservice.

I am also considering just using one client in one realm for my microservices and enabling “Fine-grained authorization” to add each of our microservices as resources - is this a valid approach? Could the resources potentially invoke and access each other in that case? My end goal is to protect our microservices and allow microservices to authenticate and invoke each other.

I appreciate all the help I can get!

DanielS · December 5, 2023, 4:01pm

If your customers don’t access any of your micro services, then you can separate these via seperate clients inside one realm and create a client user via the fine-grained auth.
But as soon as your customers also should access your micro services, then you probably need to put all of them in one realm. At least I don’t know of any way to control cross-realm authorizations.

Topic		Replies	Views
Two or N realms when "service accounts" are in use Securing applications	2	602	September 13, 2022
Keycloak group based multitenancy Getting advice	2	552	December 2, 2022
How to authenticate users from different realms against a single application? Securing applications authentication	1	5609	August 24, 2021
Realms for microservice application Securing applications	0	484	March 30, 2021
Multi tenancy authorization advice Getting advice	0	469	May 3, 2021

Realm-based multi-tenancy and fine-grained authorization for resources

Related topics