Dear Keycloakers,
We are investigating Keycloak as a future IAM solution to replace an in-house developed one. we would love some input on best practices and get your thoughts on our proposed setup:
Existing setup
Our product lives on a few domains with multiple tenants, a tenant has their documents, and users have different roles to work with them.
- Documents belong to a tenant
- Users belong to a domain
- Domains have a default tenant
- Domains can have more than one tenant
- Users have a role on a tenant
So for instance we have app1.our-company.com
where we have tenantA
and tenantB
where I can access and work with their documents based on my roles, as well as app2.our-company.com
where we only have tenantC
, etc. Some of our apps share a common backend API, and some have an app specific backend API.
The main open point for us is how we deal with the tenant scoped roles and how we can put this information in the access token to be used across all our backend APIs. So in an ideal world we would get an access token like
"roles": {
"tenantA": ["role1", "role2"],
"tenantB": ["role2"],
"tenantC": ["role1", "role3"]
}
Then on each of our frontend clients and backend APIs can check exactly what access the user has.
Proposed solution
- Single keycloak realm
- Users no longer belong to a domain (single identity in the new Keycloak realm)
- All our frontend apps get a public client in keycloak where the users can get a token which can be used with all our backend APIs (if the user has access of course!)
- Tenant and role mapping represented as groups and subgroups - we then create a protocol mapper to put a list of the group paths in the access token, the groups do not have any roles attached, instead we use the path.
That last point is what we are currently not completely sure about. We would use the group path as a representation of the tenant and role mapping, so a user will have instead of the above:
"roles": [
"/tenantA/role1"
"/tenantA/role2",
"/tenantB/role2",
"/tenantC/role1",
"/tenantC/role3"
]
Is this a common practice or is this something discouraged? We would be open to any suggestions for alternative approaches. I am aware that the preview organizations feature has some multi-tenancy features but this seems geared more towards users that only belong to a single organization, so I think this is not something we can use at the moment.
Thanks in advance,
Jonas