Implement multi-tenanted application with Keycloak and springboot

keycloak multi tenancy
keycloak multiple clients
keycloak spring security
realm vs tenant
keycloak realm hierarchy
keycloak sso multiple realms
keycloak tomcat
keycloak import multiple realms

When we use 'KeycloakSpringBootConfigResolver' for reading the keycloak configuration from springboo properties file instead of keycloak.json.

Now there are guidelines to implement a multi-tenant application using keycloak by overriding 'KeycloakConfigResolver' as specified in

the steps defined here can only be used with keycloak.json How can we adapt this to spring boot application such that keycloak properties are read from spring boot properties file and multi-tenancy is acheived.

After several trials, the only feasible option for spring boot is to have

  1. Multiple instances of the spring boot application running with different spring 'profiles'.
  2. Each application instance can have its own keycloak properties (as it is under different profiles) including the realm.

The challenge is to have an upgrade path for all instances for version upgrades/bug fixes, but I guess there are multiple strategies already implemented (not part of this discussion)

Using Keycloak and Angular with multi-tenant configurations, I am trying to create a spring boot application (scalable in nature) with Hibernate Multi-tenancy (database per tenant approach), this part is working fine. GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. Sign up Sample project which shows how to implement a secured AngularJS/Spring-Boot application secured by Keycloak.

there is a ticket regarding this problem: Comments for that ticket also talk about possible workarounds intervening in servlet setup of the service used (Tomcat/Undertow/Jetty), which you could try.

Note that the documentation you linked in your first comment is super outdated!

[keycloak-dev] SpringBoot : Multi-tenant Example, Following up on my initial article on Keycloak & AngularJS implementation using RouterUI, article we are taking it to the next level with the support of a truly multi​-tenant application… How to Use Netflix's Eureka and Spring Cloud for Service Registry Build and Deploy Spring Boot Web Service using Azure DevOps. It allows you to redirect unauthenticated users of the web application to the Keycloak login page, but send an HTTP 401 status code to unauthenticated SOAP or REST clients instead as they would not understand a redirect to the login page. Keycloak auto-detects SOAP or REST clients based on typical headers like X-Requested-With, SOAPAction or Accept.

You can access the keycloak config you secified in your application.yaml (or if you inject org.keycloak.representations.adapters.config.AdapterConfig into your component.

public class MyKeycloakConfigResolver implements KeycloakConfigResolver {

    private final AdapterConfig keycloakConfig;

    public MyKeycloakConfigResolver(org.keycloak.representations.adapters.config.AdapterConfig keycloakConfig) {
        this.keycloakConfig = keycloakConfig;

    public KeycloakDeployment resolve(OIDCHttpFacade.Request request) {
        // make a defensive copy before changing the config
        AdapterConfig currentConfig = new AdapterConfig();
        BeanUtils.copyProperties(keycloakConfig, currentConfig);

        // changes stuff here for example compute the realm



Keycloak multi tenancy spring boot, Hello, I would really appreciate advice on how to implement Multi-tenant SSO in a Spring Boot application. The "User Guide" Spring Boot  The process of obtaining permission tickets from Keycloak is performed by resource servers and not regular client applications, where permission tickets are obtained when a client tries to access a protected resource without the necessary grants to access the resource.

Custom KeycloakConfigResolver for Spring Boot adapter., Mar 03, 2019 · Keycloak Securing a Spring Boot Application with Keycloak - A keycloak on how to implement multi-tenancy: Following up on my initial article  Spring Boot attempts to eagerly register filter beans with the web application context. Therefore, when running the Keycloak Spring Security adapter in a Spring Boot environment, it may be necessary to add FilterRegistrationBean s to your security configuration to prevent the Keycloak filters from being registered twice.

Securing Applications and Services Guide, KeycloakSpringBootConfigResolver is hardcoded registered in KeycloakSpringBootConfiguration. Particularly it is useful for multi-tenant scenario in which it is  For more details go to about and documentation, and don't forget to try Keycloak. It's easy by design! Login once to multiple applications. Standard Protocols. OpenID Connect, OAuth 2.0. Centralized Management. For admins and users. Secure applications and services easily.

ineat/spring-keycloak-multitenant, Spring Boot Adapter; 2.1.7. Multi Tenancy; 2.1.19. suited for HTML5/​JavaScript applications because it is easier to implement on the client side than SAML. Note that this article has been updated to the new Spring Security OAuth 2.0 stack. The tutorial using the legacy stack is still available, though. In this quick tutorial, we'll focus on setting up OpenID Connect (OIDC) with Spring Security. We'll present different aspects of this specification, and then we'll see the support that Spring

  • Why not use keycloak.json? You can use multiple json files for realms and achieve multitenancy with springboot.