[keycloak-dev] configuring social providers

Bill Burke bburke at redhat.com
Mon Jul 22 10:33:22 EDT 2013



On 7/22/2013 10:15 AM, Marko Strukelj wrote:
> I don't exactly remember where I saw this but it was with one of existing identity broker providers ... When you set up application you specify what your application needs i.e.
>
> - Access Email
> - Access List of Friends
> - Post to wall
> - Access Documents
> - Access Location
>
> You just click checkboxes, and broker requires social provider specific appropriate access profiles.
>
> If all the interaction with social graph and social service specific APIs would be proxied through Keycloak APIs then Keycloak can limit access based on application profile, regardless if another application triggered user to grant a greater access to Keycloak then one specific application requires.
>
> Also the phishing alarm when seeing Keycloak mentioned in authorization form can be alleviated by adding a Powered by Keycloak badge to SignIn page of the app, or mentioning Keycloak some other way.
>

That's a good point.  So what are the current downsides of a global 
account?:

* Revoke page would only have keycloak.org listed
* Social login page would state that Keycloak (and not the app) is 
interested in a specific scope.  Which could be mitigated by having a 
"Powered by Keycloak" on the signin page of the app.



-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list