I'm starting a PoC to create a module that can be used in our multitenant architecture to provide OAuth2 Access tokens to our applications. We already have microservices which manage tenant/module/roles profile for each user and every tenant has its own IdP.
We would like to evaluate Keycloak in our architecture for IdP brokering, using realm for tenant configuration, not using nothing inside KeyCloak like rules/group and customizing the resulting Access token with a custom claim mapper which will retrieve profile informations from our microservices.
I have some doubts about the usage of Keycloak in this scenario, probably ever point could have been a question on SO, but it is more clear to group them here:
With IdP brokering, is Keycloak storing username/credentials/token somewhere? If so I can disable or is it necessary for something else?
The username along with some metadata will be imported:
Keycloak checks if the response from the identity provider is valid. If valid, Keycloak imports and creates a user if the user does not already exist. Keycloak may ask the identity provider for further user information if the token does not contain that information. This behavior is identity federation. If the user already exists, Keycloak may ask the user to link the identity returned from the identity provider with the existing account. This behavior is account linking. With Keycloak, you can configure Account linking and specify it in the First Login Flow. At this step, Keycloak authenticates the user and issues its token to access the requested resource in the service provider.
the credentials will not be imported. By default tokens will not be stored but you can do it if you want read more about here.
Every realm will have its own JWKs. Is it possible to have only one? I'm thinking that our applications, which already works in a multitenant way, will have to manage a list of possible JWKs and it sounds not so good to me.
Not sure how your multi-tenant setup is, but if you have a centralized realm and use IdP brokering to login into that centralized real via the an IdP, I think you would only need to care about the JWKs of the centralized realm. Nonetheless, you can at the very list customize JWKs at the client level.
Is it possible to disable the login form of Keycloak? I won't use it as IdP so my clients will always select its IdP to login.
Yes, have a look at 'kc_idp_hint' option in the "Integrating identity providers"
Is it correct to use Keycloak in this sort of scenario, using probably 10% of its capabilities and not using something that like Ory Hydra?
I have no experience with "Ory Hydra", but this feels like an Opinion based question.