Hi, I’m not 100% sure I understand the flows well enough to have an idea of how to do this!!
We’re building a multi-tenant application, we decided on 1 realm per tenant so when we onboard a business, we will create a realm for them.
We have a front end (angular) that’s in charge of login, when we onboard a business, we create a client within their realm called ‘front-end’ that is public that has a redirect Uri of the front end which is https://business.ourdomain.com/
we also have a back end Api (.NET 6), currently it’s in charge of creating and managing realms (there’s a client on master that’s set to confidential to do this)
Our next task is to figure out how to handle roles and permissions. One thing I saw was that Permissions are at the client level (not realm level). So this brought up a ton of questions (mostly cause I don’t know how this should work).
- If the client that has the permissions has to be confidential, then that means our API should be in charge of getting the access token (which i assume would have the list of scopes in it) so it can call the confidential client with the secret (not public frontend)… how do we do that when the authorization code gets called back to our frontend and not our backend?
- is there a way to have a one single source of truth for our permissions? single tenant per realm would mean adding a new permission to every realm we created (within the confidential client we’ve created in each realm)
One reason this came up is that we’re gonna have businesses that will want to map their Idp groups to roles in keycloak, so we kind of need roles to live in keycloak, was hoping to go a step further and connect permissions to roles easily.