<div dir="ltr">Hi!<div><br></div><div>Some time ago I had a similar enquiry but the response was that every realm should have its own configuration in Google. This does add quite a lot of configuration overhead regarding SaaS applications and I would also like to see the state parameter being used to transfer the realm.</div><div><br></div><div>You can find the discussion here:</div><div><a href="http://lists.jboss.org/pipermail/keycloak-dev/2016-January/006301.html">http://lists.jboss.org/pipermail/keycloak-dev/2016-January/006301.html</a><br></div><div><br></div><div>Best regards,</div><div>Thomas</div><div><br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 20, 2016 at 11:37 AM, Martijn Claus <span dir="ltr"><<a href="mailto:m.claus@smile.nl" target="_blank">m.claus@smile.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="NL" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span lang="EN-US">Hello,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I’ve got a question regarding the identity provider google (and maybe others). We are building a multi-tenant saas environment where the tenants are dynamically added (which I think is a valid usecase). We use the keycloak
admin api to create a realm per tenant. We want to use (amongst others) the google identity provider. For this you need to set up the callback url in the google api client. The problem is that the callback url is different for each realm and
<b>Google does not allow wildcards in redirect urls.</b> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">The redirect url format now:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="http://ourserver:8080/auth/realms/%7brealm%7d/broker/google/endpoint" target="_blank">http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I don’t want to dynamically add redirect urls to the google api account. Google has a solution for this, the client (ie KeyCloak) should use the “state” queryparameter to add the realm. But this is a change Keycloak needs
to make imo.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Someone with a related problem (not with keycloak)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166" target="_blank">http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Any thoughts on this problem?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">PS: I can imagine this holds also true for other identity providers, but Google was the first I tried.<u></u><u></u></span></p>
</div>
</div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br><br>
</div></div></div>