OpenID Connect realms strategy – Information Security Stack Exchange


I’m reaching out to see if I can get a second opinion on something that came up at work. One of the clients of the company that I work at is setting up an OpenID Connect provider to authenticate api’s that they will be exposing to third parties (partners and in the future perhaps other api’s available to the general public). This provider might also be used for internal api’s further down the line.

Since the provider has to be exposed to the internet, do you think it is a reasonable strategy to set up three different realms, each of them for the three scenarios that I described above? (external api’s for partners, external api’s for the general public, and internal api’s). In case it’s relevant, the client is working with RedHat SSO.

To make the administration manageable, as long as each partner has its own client and it is correctly configured per the needs of each integration scenario, I thought that this setup would be correct.
On the other hand, publicly available api’s will probably serve different, less sensitive information so I thought it could be acceptable to have a separate realm for those cases.

Thanks in advance!