Scenario: We have a service that requires us to create two different applications. There is an app meant for higher privileged staff users that are part of multiple organizations that we partner with. There is a second app that we release to app stores for public retail use. Both of these apps are part of the same product and use the same APIs in our back end. The staff app is significantly more feature rich and requires the use of organizations for separating our business partners. The retail app does not really need an organization and is mainly for account management and tracking assets.
Staff App
Org A
Staff users
Org B
Staff users
Retail App
Everyone else
I’m trying to understand the pros and cons for keeping them all under a single realm and then having the staff app kick out retail users or using two realms for the two different applications.
The reason to use multiple Realms rather than separate users by simpler primitives like Groups and Organizations is based on whether or not all the users will be accessing the same applications. It is difficult to configure the same application to use multiple Realms/IdPs. If your “Staff users” are using the same applications (but with different permissions) as your “Everyone else”, then everyone can be in the same Realm.
Thanks, that’s very helpful. I’m leaning toward keeping staff accounts only usable in the staff app, and retail users only in the public app. If a staff user wants to use the public app, they would need to create a separate personal account. So while this is technically one product, we have two distinct applications with two distinct sets of users.
Currently, we are using a single realm and relying on the front-end to block users if their access token doesn’t include the proper organization. The tradeoff is placing the responsibility on the front-end versus having Keycloak enforce it by only issuing tokens to users in the correct realm. Using multiple realms would give us stronger isolation, but it also increases the management overhead in Keycloak and requires supporting multiple realms in the back-end.
Does this capture the main considerations, or am I missing anything important?