Interesting idea, so you would then say for instance for our app1.our-company.com would have multiple clients set up for the same app and then users log in using different keycloak clients?
That would allow us to have tenant scoped roles, but in some cases our app1 where I log in I have access to two tenants, so I am not sure that case would be covered.
Cheers, Jonas
In OAuth world, client = apps.
I was suggesting, let’s assume tenant1 logs in with client1, tenant2 logs in with client2, etc. All clients are in same realm. And because they are all in same realm, users (from different tenants) can SSO to different clients. And if you have client based roles/group these will be enforced.
Right right, yes I follow the client = app concept, but the problem I am dealing with here is when we have a single client/app, but users have access to multiple tenants in that app, with different privileges. This is not really solved with the solution proposed as far as I see it.
Cheers,
Jonas