1

I have some Spring Boot microservices with Spring Cloud API gateway (Zuul) in front of them.
API gateway authenticates users and forward the Authorization bearer token header.
Working fine with a single realm.

Now, I'd like to use multiple realms.

Using KeycloakConfigResolver, I'm able to authenticate user with the API gateway (keycloak deployment based on path).

But how should I configure KeycloakConfigResolver for microservices (bearer-only) so the use the right KeycloakDeployment? As every service can be accessed by both realms I don't know how to detect against which realm user was authenticated?

I cannot use path for KeycloakConfigResolver as for example for the order-service, users can do a GET on /orders being authenticated by realm1 or realm2...

Using header does not seem to be a good solution either.... Any idea?

I hope I'm clear enough...

Cedric Thiebault
  • 1,015
  • 1
  • 15
  • 28
  • `As every service can be accessed by both realms I don't know how to detect against which realm user was authenticated`. The realm entity is supposed to be opaque in keycloak. Doesn't this seem like a bit of hacking to you? Can't think of any benefit you get from using more than one realm here.. – Aritz Apr 23 '18 at 07:36

1 Answers1

0

You can find the realm from the KeycloakPrincipal (logged-in user) and then build KeycloakDeployment accordingly, you find the example here 

InputStream is = getClass().getResourceAsStream("/realm1-keycloak.json");
KeycloakDeployment deployment = KeycloakDeploymentBuilder.build(is);
ravthiru
  • 8,878
  • 2
  • 43
  • 52
  • But as the user is only logged-in for the API Gateway client and not yet for the service behind API Gateway `SecurityContextHolder.getContext().getAuthentication()` is null. The only info available for the service is the bearer token from header.... – Cedric Thiebault Apr 18 '18 at 09:16
  • Check here on how to get KeycloakPrincipal https://stackoverflow.com/questions/31864062/fetch-logged-in-username-in-a-webapp-secured-with-keycloak – ravthiru Apr 18 '18 at 10:54
  • You need to have KeycloakConfigResolver in API gateway , so you can forward request to right realm – ravthiru Apr 18 '18 at 10:55