[keycloak-dev] KEYCLOAK-11152 : attributes for clients

Wed Nov 6 03:43:03 EST 2019

Is it only logo and contact you want to add for a client? Those are fields
that we should have available directly in the client config anyways, so
wouldn't need a generic client attributes tab.

Take a look at
https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
for
instance. There is logo_uri as well as contacts defined as standard
configuration options for a client.

On Wed, 6 Nov 2019 at 08:51, cedric at couralet.eu <cedric at couralet.eu> wrote:

> The PR https://github.com/keycloak/keycloak/pull/6250 is not mine and
> doesn't really reflect my own use case.
> In our case we often have the need to marginally customize the keycloak
> page (login/account) for each client, to change logo, or change a link to a
> contact mail. At the moment we do this by deploying new themes each time,
> but it doesn't scale very well with a large number of client.
> I saw Keycloak-11152 as a good option to manage some client
> personalization for the keycloak pages, but maybe client attribute is not
> the right way.
>
> Thanks for the answer,
> Cédric
>
>
> Le Mercredi, Novembre 06, 2019 08:13 CET, Stian Thorgersen <
> sthorger at redhat.com> a écrit:
>
> > I'm not in favor of adding this.
> >
> > Client attributes are internally used, not aimed at users to introduce
> > arbitrary attributes. There's no reserved internally attribute names, as
> > such there is no guarantee that user defined client attributes don't
> > conflict with internally defined client attributes.
> >
> > From what I know this is the first time the ability to define client
> > attributes in the admin console is being requested. The UI for adding
> > attributes adds complexity to the client configuration screen, which is
> not
> > something we want if there's very few users of it.
> >
> > Looking at the use-cases mentioned in
> > https://github.com/keycloak/keycloak/pull/6250. They can be achieved
> either
> > with overriding the theme for a client, or with a client scope.
> > For no_email_verification I would rather have added a "verified_email"
> > client scope, which when requested requires the user to verify the email,
> > rather than the opposite. For auto_group_join that doesn't make much
> sense
> > to me to add a user automatically to a group when they login to a client.
> > It could be achieved with a client scope, but then again I think you
> should
> > probably rethink this approach.
> >
> > On Wed, 6 Nov 2019 at 07:28, cedric at couralet.eu <cedric at couralet.eu>
> wrote:
> >
> > > Hi,
> > >
> > > Do you have any idea if this feature could land in keycloak ?
> > > For us, it could limit *a lot* the number of themes we have to
> maintain.
> > > We have a lot of login page where app developer want to put link to
> help
> > > page or other informational notice (or descriptions, logos...), but
> > > keycloak lack a way to add it by client (except by a new theme each
> time).
> > > We play a little with client description but it is not really elegant.
> > >
> > > I see attributes for clients as a way to better customize keycloak
> page by
> > > clients (attributes would need to be accessible from template
> obviously).
> > >
> > > Cédric
> > >
> > >
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>