Multi Tenant Phoenix Application - Authenticating on a keycloack multi realm

Hello everyone,

I’m working on a Phoenix 1.7 application that requires authentication and authorization using Keycloak. This application is a SAAS multi-tenant system, where the Phoenix 1.7 front-end communicates with a Python Django back-end. Each tenant is identified by a subdomain, such as “,” and each tenant corresponds to a separate Keycloak realm. The Django back-end handles tenancy perfectly, but I’m facing challenges in implementing the same with Elixir and Phoenix using Pow and PowAssent.

Here’s what I have done so far in my configuration, although I’m currently forcing the tenant to “dogfooding” for the sake of progress:

elixirCopy code

config :bpfe, :pow_assent,
  providers: [
    blueparachute: [
      site: "",
      client_id: "dogfooding_auth_client",
      client_secret: "JHbZvvfuaen2H37genUHHUubhUANuP3z",
      strategy: Assent.Strategy.OIDC,
      redirect_uri: "http://{@tenant}"

The Problems:

  1. When I generate links to providers in my Phoenix view:
<%= for link <- PowAssent.Phoenix.ViewHelpers.provider_links(@conn, tenant: @tenant) do %>
  <span class="btn btn-primary"><%= link %></span>
<% end %>

The redirect_uri is not constructed correctly. It always redirects to “” without including the “dogfooding” tenant. I need assistance in rewriting the URL to include the correct tenant.

  1. I need to understand how to handle the callback. Specifically, I want to perform operations such as inserting users into the database, creating sessions, and so on. I’ve been working on this for the past two weeks but haven’t found a reliable solution.

Your guidance and assistance would be greatly appreciated. Thank you!

Hi @asrocha,

I hope you’ll get some productive help. I asked many times for some guidance in “integration” cases and specifically for Keycloak, since I truly believe that if there would be more help/activity in this integration part, the whole ecosystem would benefit since new opportunities would open (integration with Enterprise ecosystems, … ) and specifically because it is a totally natural state to have heterogeneous systems in your solution. I wish some of more wise people would react on this and put some effort into this.

Regardles what I just wrote, you still have your problem. :slight_smile: Hope someone helps you (and others with that too).

Kind regards,

1 Like


I’ve documented how to integrate Assent with the code generated by phx.gen.auth before here:

This might give you an idea how to do the integration. Keep in mind that this is not integrating the full Pow goodies (so it won’t answer your first question), which afaik, makes phx.gen.auth unneeded.

1 Like

I have still not got to use it in production, but these types of problems seem to be a perfect match for Ash. Namely Multitenancy — ash v2.14.21 in this case.

1 Like

@tomazbracic, thanks for aswer.
I came from Python ( where I have many years of experience in backend and architecture) and open source world solutions (I newbie in Elixir in Phoenix, it is Challenger think elixir way), but I believe that a complex problem, need a solutions that solve the problem:
I recoment for everyone Keycloak a authentication and authorization solution for application that have multiples (cloud, microservice, frontend, backend) etc.
I 'm not found the way that Phoenix works satisfactory with multi-tenancy in keycloak, but When I found that I will share to the community.

@linusdm Thanks for answer
I will clone your repository and try understand your code and approach.
Thanks for your time and attention.