[keycloak-dev] Google redirect url

Stian Thorgersen sthorger at redhat.com
Thu Jan 14 03:57:23 EST 2016


On 14 January 2016 at 09:12, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> On Thu, Jan 14, 2016 at 9:48 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>>
>>
>> On 13 January 2016 at 22:09, Thomas Raehalme <
>> thomas.raehalme at aitiofinland.com> wrote:
>>
>>> Hi!
>>>
>>> Google doesn't accept wildcards in redirect URLs. This means I have to
>>> create a separate client for every realm in the Google console.
>>>
>>> Any chance we could have a shared redirect URL across realms? Maybe as
>>> an option in the federation configuration? Then I could share the same
>>> Google config for each tenant.
>>>
>> -1 The client in Google should be per-realm as otherwise you're also
>> sharing the config in Google (logo, contact email, etc) and also consent.
>> Also, all logic here is per-realm so it would be a fair bit of special code
>> to be able to support this.
>>
>
> I understand your points, but in a SaaS application with a realm per
> tenant, it would simplify operations a great deal. You'd probably be
> sharing the config in Google anyways.
>

In a SaaS application it's even more important to have a separate client at
Google. You want the owner of the tenant to bring their own and not have
one shared between all tenants. Another issue is number of requests
per-client. Google limits the number of free API calls you can do (can't
remember how many) and you have to pay after that. I don't think you want
to pay for all tenants of a SaaS platform in one go?


>
> For example, themes are also shared across realms so would it really be
> such a big problem considering the advantages?
>

Theme sources are shared, but they are still configured individually
per-realm and also bring in config from the realm itself. A theme is just
like a JAR in this perspective.

Having shared redirect uri for a identity broker would mean we'd need a
non-realm specific endpoint for this, which means the endpoint would have
to somehow figure out what realm the redirect belongs to before processing
it. This may be even more complicated in the future if we introduce more
isolation between realms. For example having a different store for each
realm.


>
> Best regards,
> Thomas
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160114/86a3507b/attachment.html 


More information about the keycloak-dev mailing list