Re: [keycloak-dev] configuring social providers

Actually I like the idea of having flexibility on this, initially I thought you where just plain wrong ;) If it's possible to create one or more social provider configurations separately to an application, then when creating an application choose which social provider config to use, we get best of both IMO. This also means that someone setting up a Keycloak server could create a global social provider config, which is then used by all applications. If on top of that we can select who can access what realms, social provider configurations and applications you can make these public or shared with a set of users. Also if we have fine-grained authz we can define that the social provider config can be used and key viewed by all, but only admins can view the secret. This also means that when setting up the online Keycloak server there would be a (sample) social provider config available to get you started with initially. Once you want more control and/or let your users get more control you can define your own social provider config. So there would be 3 things that users can create: * Realms * Social config * Applications An application has one realm, and zero or 1 social configs. In Keycloak online we could have a default public realm and social config which users can use initially. Standard users would obviously have limited access to these, for example they would not be able to: * Manage users (view users, edit users, etc.) * View secrets for social providers ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; To: > keycloak-dev(a)lists.jboss.org Sent: Monday, 22 July, 2013 2:44:50 > PM Subject: Re: [keycloak-dev] configuring social providers > > > > On 7/22/2013 9:39 AM, Marko Strukelj wrote: >> >> >> ----- Original Message ----- >>> On 07/22/2013 03:24 PM, Bolesław Dawidowicz wrote: >>>> On 07/22/2013 03:13 PM, Marko Strukelj wrote: >>>>> When using Google+ SignIn or Facebook SignIn or Twitter >>>>> SignIn I always get redirected to an authorization form >>>>> where now there would say something like: >>>>> >>>>> Application _Keycloak_ wants access to your email, and a >>>>> list of friends. >>>>> >>>>> Instead of saying: >>>>> >>>>> Application _SocialDemo_ wants access to your email ... >>>>> >>>>> >>>>> Me as a user I don't know anything about Keycloak. I came >>>>> to the web site of SocialDemo. When I see that Keycloak >>>>> wants access to my email, phishing alarms go off in my head >>>>> ... >>>> >>>> Exactly... >>> >>> Also IIRC you define the level of access to user information >>> per application - and requirements may vary. Would it be >>> possible with global account? >>> >> You mean that by granting access to my list of friends when >> signing in via SocialDemo, I would be granting the same access to >> acme.com and all the apps using Keycloak? :) I'd say that's the >> case, yes. >> > > You win. > > You're right I'm wrong You're the best, I'm the worst You're good > looking, I'm not very attractive... > > -- Bill Burke JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev > mailing list keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev