[keycloak-user] Google as identity provider

Thomas Darimont thomas.darimont at googlemail.com
Wed Apr 20 05:27:43 EDT 2016


This reminds me of a feature that was recently added to keycloak - "Provide
an endpoint that redirect to the actual client referred to by clientId."
https://issues.jboss.org/browse/KEYCLOAK-2469

Perhaps this could be used to define multi-stage redirect redirect URI -
the generic redirect endpoint mentioned in the issue could be populated
from the "state" parameter
which would then redirect to the approproate realm / broker client.

... just thinking out loud...

Cheers,
Thomas

2016-04-20 10:52 GMT+02:00 Thomas Raehalme <thomas.raehalme at aitiofinland.com
>:

> Hi!
>
> Some time ago I had a similar enquiry but the response was that every
> realm should have its own configuration in Google. This does add quite a
> lot of configuration overhead regarding SaaS applications and I would also
> like to see the state parameter being used to transfer the realm.
>
> You can find the discussion here:
> http://lists.jboss.org/pipermail/keycloak-dev/2016-January/006301.html
>
> Best regards,
> Thomas
>
>
>
> On Wed, Apr 20, 2016 at 11:37 AM, Martijn Claus <m.claus at smile.nl> wrote:
>
>> Hello,
>>
>>
>>
>> I’ve got a question regarding the identity provider google (and maybe
>> others). We are building a multi-tenant saas environment where the tenants
>> are dynamically added (which I think is a valid usecase). We use the
>> keycloak admin api to create a realm per tenant. We want to use (amongst
>> others) the google identity provider. For this you need to set up the
>> callback url in the google api client. The problem is that the callback url
>> is different for each realm and *Google does not allow wildcards in
>> redirect urls.*
>>
>>
>>
>> The redirect url format now:
>>
>> http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint
>>
>>
>>
>> I don’t want to dynamically add redirect urls to the google api account.
>> Google has a solution for this, the client (ie KeyCloak) should use the
>> “state” queryparameter to add the realm. But this is a change Keycloak
>> needs to make imo.
>>
>>
>>
>> Someone with a related problem (not with keycloak)
>>
>>
>> http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166
>>
>>
>>
>> Any thoughts on this problem?
>>
>>
>>
>> PS: I can imagine this holds also true for other identity providers, but
>> Google was the first I tried.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/5f5d3328/attachment.html 


More information about the keycloak-user mailing list