<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 20 April 2016 at 14:14, Martijn Claus <span dir="ltr"><<a href="mailto:m.claus@smile.nl" target="_blank">m.claus@smile.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="NL" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span lang="EN-US">Hi all,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">“# The Google client should be configured with name, contact details, etc.. that is linked to the realm the user is logging in to, not to all tenants”<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Partially true, this might be a problem for some parties with tenant-specific details. But our customers (tenants) buy a product X, which they can use, but for all tenants it’s called X so the contact information etc
can be the same for all tenants.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">“# You have limited API calls allowed to Google, go beyond this and you have to pay. Tenants should configure their own Google provider.”<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">We don’t want to bother the client with setting stuff up. We’ll pay the costs and via microtransactions for login or user of our product the client indirectly pays for the API calls.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">“# When users agree to share their profile information they should do so on a per-realm (per-tenant) not to all tenants. Think about it, if you do what you want users would effectively accept all tenants of your SaaS
access to their profile. That's bad..”<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Might be that I misunderstand it, but as far as I can see, the url is still the same, only differently formatted. Realm is still in the callback url, only now in the state parameter instead of the urlpath.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Considering the above is no short-term solution (and maybe not even a long term), I’m looking for an alternative. I’m not familiar enough with Keycloak to rule out inheritance. Is there such a thing as inheritance of
realms/identity providers?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Is there maybe a way identity providers can be inherited from another realm or is there no form of inheritance like this currently possible in Keycloak?</span></p></div></div></blockquote><div><br></div><div>Well, you have 3 issues here:</div><div><br></div><div># Sharing identity provider config - you could do this through admin endpoints</div><div># Including realm name in state param - you'll have to create your own custom identity providers for this</div><div># Adding a single callback endpoint - you can use realm resource spi introduced in 1.9.2 for this</div><div><br></div><div>We're not going to add support for any of those in KC itself, not in the long run either (for the reasons I listed previously), but you can achieve it on your own.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="NL" link="blue" vlink="purple"><div><p class="MsoNormal"><span lang="EN-US"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Stian Thorgersen [mailto:<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>]
<br>
<b>Sent:</b> woensdag 20 april 2016 11:55<br>
<b>To:</b> Martijn Claus <<a href="mailto:m.claus@smile.nl" target="_blank">m.claus@smile.nl</a>><br>
<b>Cc:</b> <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<b>Subject:</b> Re: [keycloak-user] Google as identity provider<u></u><u></u></span></p><div><div class="h5">
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">I don't think you've thought this through completely.<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">If you create your own setting in Google to allow different tenants to login then you're sharing the same Google client for all tenants, which is bad for several reasons, including:<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"># The Google client should be configured with name, contact details, etc.. that is linked to the realm the user is logging in to, not to all tenants<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"># You have limited API calls allowed to Google, go beyond this and you have to pay. Tenants should configure their own Google provider.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"># When users agree to share their profile information they should do so on a per-realm (per-tenant) not to all tenants. Think about it, if you do what you want users would effectively accept all tenants of your SaaS access
to their profile. That's bad..<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US">For those reasons we won't introduce the ability to share identity provider configuration or have a shared callback.<u></u><u></u></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On 20 April 2016 at 10:37, Martijn Claus <</span><a href="mailto:m.claus@smile.nl" target="_blank"><span lang="EN-US">m.claus@smile.nl</span></a><span lang="EN-US">> wrote:<u></u><u></u></span></p>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hello,<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I’ve got a question regarding the identity provider google (and maybe others). We are building a multi-tenant saas environment where the tenants are dynamically
added (which I think is a valid usecase). We use the keycloak admin api to create a realm per tenant. We want to use (amongst others) the google identity provider. For this you need to set up the callback url in the google api client. The problem is that the
callback url is different for each realm and <b>Google does not allow wildcards in redirect urls.</b>
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">The redirect url format now:<u></u><u></u></span></p>
<p class="MsoNormal"><a href="http://ourserver:8080/auth/realms/%7brealm%7d/broker/google/endpoint" target="_blank"><span lang="EN-US">http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint</span></a><span lang="EN-US"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I don’t want to dynamically add redirect urls to the google api account. Google has a solution for this, the client (ie KeyCloak) should use the “state” queryparameter
to add the realm. But this is a change Keycloak needs to make imo.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Someone with a related problem (not with keycloak)<u></u><u></u></span></p>
<p class="MsoNormal"><a href="http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166" target="_blank"><span lang="EN-US">http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166</span></a><span lang="EN-US"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Any thoughts on this problem?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"> <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">PS: I can imagine this holds also true for other identity providers, but Google was the first I tried.<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"><br>
_______________________________________________<br>
keycloak-user mailing list<br>
</span><a href="mailto:keycloak-user@lists.jboss.org" target="_blank"><span lang="EN-US">keycloak-user@lists.jboss.org</span></a><span lang="EN-US"><br>
</span><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank"><span lang="EN-US">https://lists.jboss.org/mailman/listinfo/keycloak-user</span></a><span lang="EN-US"><u></u><u></u></span></p>
</blockquote>
</div>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
</div>
</div></div></div>
</div>
</blockquote></div><br></div></div>