A key/secret in Google (and same for Facebook, Twitter, etc.) maps onto the configuration
for a single application. First time a user logs in to an application through Google (with
or without Keycloak) they expect to see a message "Foo is requesting permission to
...". Second time they log in to the same application they are just redirected back
to the application and automatically logged in (if they are already logged in to Google
that is). If they try to log in to a different application they expect the message
"Bar is requesting permission to ...". Also in their Google account they can
list all the applications that have access to their account, including what information
they can access. They can also revoke access to individual applications.
This requires a separate configuration for each application for each enabled social
provider. Hence why in IdentityBroker there's a list of social providers, including
the key/secret, for each individual application. The plan was that further down the line
it would be possible to share social provider configurations between a group of related
applications. Maybe "a group of related applications" maps onto a realm, in
which case we could have this configured on a realm instead of on individual
applications.
In the end it boils down to on what level should users be able to accept/revoke access to
their social accounts, and what details are shown on their social account about the
application. In my opinion this is definitively not a server wide setting. Also it's
not possible to automatically configure this as it has to be linked to some ones social
account (to use login with Google+ you have to have a Google+ account).
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Saturday, 20 July, 2013 2:45:17 AM
Subject: [keycloak-dev] configuring social providers
In looking at your demo, is there any reason you need to define the
metadata for the social provider? Can't you either
a) Preconfigure Keycloak server with Twitter, Google+ account?
b) Automatically configure the social provider without user input.
Since Keycloak is already a broker, why does a user need to input any of
that metadata?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev