keycloak-基于用户名(电子邮件地址)的领域解析 [英] keycloak - realm resolution based on username (email address)

问题描述

我正在一个多租户项目中，用户名实际上是他们的电子邮件地址，电子邮件的域用作租户标识符.

I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier.

现在在密钥斗篷中，每个租户将拥有不同的领域，但我想为所有租户提供一个登录页面，并且要进行身份验证的实际领域将通过用户名(电子邮件地址)以某种方式解决.

Now in keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address).

我该怎么做?

我在邮件列表中找到了一个线程(我现在找不到...)，该线程讨论了相同的问题.遵循这样的思路-创建一个可以代理"其他人的主要领域，但是我不太确定如何做到这一点.

I found a thread on the mailing list (that I cant find now...) that discussed the same problem. It was something along the lines of - create a main realm that will "proxy" to the others, but I'm not quite sure how to do that.

推荐答案

The idea from the mailing list is to write a service (let's say auth-redirector.example.com) that has a single input field for email, finds realm based on domain and redirects to that realm's keycloak endpoint (e.g. auth.example.com/auth/realms/realm-name/etc…) while keeping all GET params.

您可以在此处找到直接登录/注册URL的示例: https://lists.jboss.org/pipermail/keycloak-user/2016-July/007045.html

You can find examples of direct login/registration URLs here: https://lists.jboss.org/pipermail/keycloak-user/2016-July/007045.html

一个可用性问题是用户必须提供两次电子邮件，但我还没有找到一种通过登录URL传递用户名的方法.

One usability problem is that users would have to provide their email twice, I have not yet found a way to pass the username via the login URL.

这篇关于keycloak-基于用户名(电子邮件地址)的领域解析的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！