Keycloak, Gatekeeper and multi tenency

Hi there

I’m hoping someone could point me in the right direction as I’m very confused by the documentation. First I want to explain what it is we’re trying to achieve and then what I’ve done so far and where I’m confused.

We have an SaS application, which can be accessed by a single page application or native app. Each client is tenanted by subdomain ( We have an Apollo gateway setup to accept graphql requests and call the respective microservices on the back end.

I want to add authentication and authorization to the Apollo gateway. The front end/native app will authenticate with Keycloak with a client_id with the realm that is setup for that client using OIDC. I would like only the OAuth Access Token be returned, we don’t want the JWT token returned to the front end as there could be data in there we don’t specifically want accessible on the front end.

When the front end makes a request Graphql to the Apollo gateway, the gateway will validate the Access Token with Keycloak and the JWT token should be returned when it succeeds. Apollo will then attach the JWT token as it passes on requests to the Microservices on the back end and they’ll validate the JWT token.

So far I have a test single-page application authenticating with Keycloak, but that’s really about it. I’m under the impression I need to use a OIDC adapter (gatekeeper) to achieve the part where I can validate a Access Token.

So my problem is, it doesn’t seem like gatekeeper is multi tenanted and you’re locked into a realm per instance of Gatekeeper. I’m also unsure on how to configure what is actually returned when doing the initial OAuth request from the front end.

Am I on the right path with Gatekeeper? Do I even need it? I’m feeling very lost when it comes to the documentation, so really just looking for the parts I should be reading or any guides out there that will help me navigate through all this.