Two or N realms when "service accounts" are in use


We’re modifying two SaaS products to use OAuth2 using keycloak. There are two realms, because the users of the two products are do not overlap and are separate.

The question is about the best way to secure services:

  1. Each service can have its own realm and we create clients in that service-specific realm for each other service that needs to contact the service.
  2. We re-use the realm for each of the two SaaS applications - two in total, and each service that participates in the SaaS has a client in that realm, and we control which services it can contact with standard keycloak permissions.

The advantage of 1. is that each realm is simple, but now x-service may need clients in multiple realms, one for each service they communicate with.

The advantage of 2. is that there are much fewer realms, and each application will only need 1 client, but the permissions configuration for each service is now less transparent. Also services that service both SaaS products, need to accept tokens from each SaaS’s realm.

Is there any experience out there as to the best approach?