Determine the issuer in Spring Security with dynamically created realms in Keycloak

Question

I implement multitenancy with multiple realms in Keycloak. As planned, the frontend should make a request to the backend-for-frontend microservice on Spring Boot 3, and there, through Spring Security, a redirect should occur to the Keycloak form for entering the login and password.

The problem is that I cannot find an example of at what point and where it is necessary to define the iss uri for authentication in Keycloak. Because there are many realms, they must be created dynamically (in runtime), and I cannot write them statically in any configuration.

My question is how to understand on the fly which realm uri to redirect the user for authentication if realms are created dynamically.

Answer 1

Probably: new generated realm => new instances with new generated configuration.

What you are asking is mostly a business decision:

• what decides when a new realm should be created?
• what makes the front-ends different?

For instance, in SaaS, there could be a new realm for each new company subscription and the users from this company would be provided with links like https://new-company.super-saas.pf or https://super-saas.pf/new-company. The front-end served from this URI would probably be a new instance with configuration generated for the new realm (either directly or through a dedicated BFF). In such a scenario, only the resource server instances are multi-tenant. Each front-end (and optional BFF) instance is actually single-tenant and can be configured statically (it is the instances pool that is dynamic and multi-tenant).