<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 14 January 2016 at 09:12, Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">On Thu, Jan 14, 2016 at 9:48 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote"><span>On 13 January 2016 at 22:09, Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Hi!</p>
<p dir="ltr">Google doesn't accept wildcards in redirect URLs. This means I have to create a separate client for every realm in the Google console. </p>
<p dir="ltr">Any chance we could have a shared redirect URL across realms? Maybe as an option in the federation configuration? Then I could share the same Google config for each tenant.</p></blockquote></span><div>-1 The client in Google should be per-realm as otherwise you're also sharing the config in Google (logo, contact email, etc) and also consent. Also, all logic here is per-realm so it would be a fair bit of special code to be able to support this.<br></div></div></div></div></blockquote><div><br></div></span><div>I understand your points, but in a SaaS application with a realm per tenant, it would simplify operations a great deal. You'd probably be sharing the config in Google anyways.</div></div></div></div></blockquote><div><br></div><div>In a SaaS application it's even more important to have a separate client at Google. You want the owner of the tenant to bring their own and not have one shared between all tenants. Another issue is number of requests per-client. Google limits the number of free API calls you can do (can't remember how many) and you have to pay after that. I don't think you want to pay for all tenants of a SaaS platform in one go?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>For example, themes are also shared across realms so would it really be such a big problem considering the advantages? </div></div></div></div></blockquote><div><br></div><div>Theme sources are shared, but they are still configured individually per-realm and also bring in config from the realm itself. A theme is just like a JAR in this perspective.</div><div><br></div><div>Having shared redirect uri for a identity broker would mean we'd need a non-realm specific endpoint for this, which means the endpoint would have to somehow figure out what realm the redirect belongs to before processing it. This may be even more complicated in the future if we introduce more isolation between realms. For example having a different store for each realm.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><br></div><div>Best regards,</div><div>Thomas</div><div></div></div><br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div>
</blockquote></div><br></div></div>