Multi tenancy authorization advice


We would like some advice about using KeyCloak in the following scenario:

We would like to setup KeyCloak so that it can serve multiple tenants within the same realm whereby every tenant is only allowed to access its own data. Our application exposes a number of api endpoints where we need authorization on a granular level, for example we need to check if a user is able to read (or any other CRUD operation) on a resource. Therefore, using Resource-Based Permissions in - KeyCloak seemed like the obvious choice. However, this requires using a confidential client which requires using client_secret in order to obtain access tokens which cause the following problems:

  • If we would use the same client for every tenant this would mean that we would have to share this secret with every tenant which doesn’t seem the right thing to do.

  • We could create a client for every tenant but this would mean that we would have to duplicate the configuration for every tenant. If this is the way to go, is there a simple way to automate the
    exportation of the same config. And is this even a good choice as we do this purely to avoid sharing the client_secret?

  • Also, we would like to do authorization checks with unsafe (=public) clients (a webapp for instance) but this is not possible directly via KeyCloak if you use Resource-Based Permissions as they enforce you to use a confidential client. Is it possible to get around this or why is this required if not?

  • We also looked into using role based permissions to specify permission on a very granular level as we did for the resource based permissions as we can use them without the need of a confidential client, but we are afraid that this would cause the creation of very big JWT tokens (as the roles are embedded in the JWT). This would occur for users with the superuser role which would have permissions of every resource.