4

We are using Keycloak for a SaaS offering. Each user is part of a tenant / account and has specific roles for accessing this account's data. The roles are configured in Keycloak and the related account is saved as a user attribute on the user.

Now we've got a new requirement to give users access to multiple accounts. And for each of these accounts the user might have different roles:

User A:
- Account A:
  - ADMIN
- Account B:
  - Reader 
User B
- Account B:
  - Reader
...

I found a lot of articles about different approaches to multi tenancy, but nothing in this direction. Most of the articles combined roles and groups. But in my case I would need to create a new group for every account. So I would end up with thousands or millions of groups.

Right now my APIs can authorize requests based on the issued JWT. Ideally I can keep this.

What's the best way to get this structure (users having access to multiple accounts with different roles) into place? Is this actually possible with keycloak?

Or am I thinking into the wrong direction? It sounds like a rather common use case.

Thanks a lot already.

dreamcrash
  • 47,137
  • 25
  • 94
  • 117
jwuebb
  • 58
  • 8

1 Answers1

2

The roles are configured in Keycloak and the related account is saved as > a user attribute on the user.

I am not sure why you need this, since you can extrapolate that based on the user role.

Now we've got a new requirement to give users access to multiple accounts. And for each of these accounts the user might have different roles:

If I fully understood your problem I think it can be solved with Client Level roles. For instance:

Go to :

  • Your Realm;
  • Clients;
  • Account A;
  • Roles;
  • Add Role;
  • Set the role and save it

enter image description here

To set the role to the user go to

  • Your Realm;
  • Users;
  • Click on the user;
  • Role Mapping;
  • From the Client Roles dropdown select the client (e.g., Account A)
  • Add the Role;

enter image description here

Right now my APIs can authorize requests based on the issued JWT. Ideally I can keep this.

How a token request to the Account A on behalf of user a would look like:

  "acr": "1",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "AccountA": {
      "roles": [
        "ADMIN"
      ]
    },
    "AccountB": {
      "roles": [
        "Reader"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },

One might say that when requesting a token from client Account A one does not really care about the roles in the client Account B. That can be solved by using Keycloak's Scope Feature. With this feature one can select the roles from other clients that are relevant to the current client. By default, all roles are included. Nonetheless, to filter the roles one needs to go:

  • Your Realm;
  • Clients;
  • Client Account A in this case;
  • Scope;
  • Switch to OFF the option Full Scope Allowed;
  • Save.

enter image description here

How the token looks like now:

  "resource_access": {
    "AccountA": {
      "roles": [
        "ADMIN"
      ]
    }
  },
dreamcrash
  • 47,137
  • 25
  • 94
  • 117