We are on latest keycloak version with Quarkus distribution. We have a usecase where we will need to create about 10 million realms. Each realm would have limited set of client/groups/users/roles/idps. Most of the realms would have mostly 10/12 users, 3/5 groups and roles, 20/25 clients.
I am aware that keycloak performance starts degrading when we hit 500 realms mark. But what I understood is that happens only with the admin UI and login flows would still be fine.
I wanted to check if this is the right approach or is there any other way we could achieve this? I don’t want to create single realm and add 10 million groups where each group would act as a realm. This approach has security/maintenance issues.
Did anyone setup keycloak for this kind of dataset? I would really appreciate if you could share your findings with the performance and any suggestion on how to do it in better way.
What kind of sec./maintenance issues has a “standard” approach?
I would say only performance will be a problem, but it can be also for your high realm count approach - I guess you will need to tune caching Configuring distributed caches - Keycloak especially if you are scaling horizontally.
If we are creating groups instead of realms, we won’t be able to do lot of things we would otherwise do for realms like - configure different setup of IDPs for each realm, configure password policies, custom authentication flows (if needed). There are many more settings on realm level which we can’t move on group level. We need to write lot of custom code and there will always be a security risk of mixing one realm entities with other realm (ex - users). It’s very hard to maintain.
10 million auth realms is quite a lot.
You might consider partitioning those to several independent instances / tiers even if Keycloak does support HA .
You could handle realm selection / routing at the http proxy / load balancer / dns level !?
Consider the scenario where a user per realm is logged at any time. if you have 1millions realms, keycloak will cache data of 1 millions of realms. Even if you use a remote cache, it’s too much.
It’s more safe to use groups acting as realms and do not create more than 1000 realms or you create many clusters.
There are lot of considerations to be taken when using multi-tenant. If you are using API gateway, you may need to configure it with 10millions realms to manage auth, etc.