Right thing to do when dealing with different levels of users


I’m writing to you to get your advice on how we should configure levels of users.

Our application is going to be used backend by our internal staff, and there’s also a front office application section.

We want extra-secure access for our internal staff, thus right now, we are planning on installing one keycloak instance in DMZ and install another separate one that can be accessed from the internet.

Now, here are my questions:

  • If we do consider having those two keycloaks, should we use them as master and slave ? meaning the external one would use the internal as an IdP ?
  • Or should we, on the contrary, have them both in parrallel, so that when users authentify, depending on their origin (issuer), we would be able to try 2 public keys to validate tokens ?
  • Or, do you consider multiplying keycloaks is an heresy, as realms are already made for separating populations and policies, and an externally-accessible keycloak can be already secured enough to guarantee total protection of the internal staff and their data ?

What’s your take?


That’s opinion based question. It really depends what do you accept as secure setup and how much resources are you able to allocate for keycloak management.

I would use single keycloak cluster (yes, lazy admin does not want to double own work load) with connectivity to the intranet and also to internet - but it will be available under one domain record = different IP resolution per intranet/internet. Plus internet interface will be behind reverse proxy, which will be proxying only internet realm - intranet realm, master realm, rest api will be available only from the intranet. If I have also human resources, then I will enable x509, so users will need also client certificates + mandatory MFA (TOTP,…).

1 Like

Thank you for your advice I believe it was very pertinent!