<div dir="ltr">This reminds me of a feature that was recently added to keycloak - "Provide an endpoint that redirect to the actual client referred to by clientId."<div><a href="https://issues.jboss.org/browse/KEYCLOAK-2469">https://issues.jboss.org/browse/KEYCLOAK-2469</a><br></div><div><br></div><div>Perhaps this could be used to define multi-stage redirect redirect URI - the generic redirect endpoint mentioned in the issue could be populated from the "state" parameter</div><div>which would then redirect to the approproate realm / broker client.</div><div><br></div><div>... just thinking out loud...</div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-04-20 10:52 GMT+02:00 Thomas Raehalme <span dir="ltr"><<a href="mailto:thomas.raehalme@aitiofinland.com" target="_blank">thomas.raehalme@aitiofinland.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi!<div><br></div><div>Some time ago I had a similar enquiry but the response was that every realm should have its own configuration in Google. This does add quite a lot of configuration overhead regarding SaaS applications and I would also like to see the state parameter being used to transfer the realm.</div><div><br></div><div>You can find the discussion here:</div><div><a href="http://lists.jboss.org/pipermail/keycloak-dev/2016-January/006301.html" target="_blank">http://lists.jboss.org/pipermail/keycloak-dev/2016-January/006301.html</a><br></div><div><br></div><div>Best regards,</div><div>Thomas</div><div><br></div><div><br><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Wed, Apr 20, 2016 at 11:37 AM, Martijn Claus <span dir="ltr"><<a href="mailto:m.claus@smile.nl" target="_blank">m.claus@smile.nl</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5">
<div lang="NL" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span lang="EN-US">Hello,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I’ve got a question regarding the identity provider google (and maybe others). We are building a multi-tenant saas environment where the tenants are dynamically added (which I think is a valid usecase). We use the keycloak
admin api to create a realm per tenant. We want to use (amongst others) the google identity provider. For this you need to set up the callback url in the google api client. The problem is that the callback url is different for each realm and
<b>Google does not allow wildcards in redirect urls.</b> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">The redirect url format now:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="http://ourserver:8080/auth/realms/%7brealm%7d/broker/google/endpoint" target="_blank">http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I don’t want to dynamically add redirect urls to the google api account. Google has a solution for this, the client (ie KeyCloak) should use the “state” queryparameter to add the realm. But this is a change Keycloak needs
to make imo.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Someone with a related problem (not with keycloak)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166" target="_blank">http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Any thoughts on this problem?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">PS: I can imagine this holds also true for other identity providers, but Google was the first I tried.<u></u><u></u></span></p>
</div>
</div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br><br>
</div></div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>