8:56 a.m.
Actually I like the idea of having flexibility on this, initially I thought you where just
plain wrong ;)
If it's possible to create one or more social provider configurations separately to an
application, then when creating an application choose which social provider config to use,
we get best of both IMO.
This also means that someone setting up a Keycloak server could create a global social
provider config, which is then used by all applications. If on top of that we can select
who can access what realms, social provider configurations and applications you can make
these public or shared with a set of users. Also if we have fine-grained authz we can
define that the social provider config can be used and key viewed by all, but only admins
can view the secret.
This also means that when setting up the online Keycloak server there would be a (sample)
social provider config available to get you started with initially. Once you want more
control and/or let your users get more control you can define your own social provider
config.
So there would be 3 things that users can create:
* Realms
* Social config
* Applications
An application has one realm, and zero or 1 social configs.
In Keycloak online we could have a default public realm and social config which users can
use initially. Standard users would obviously have limited access to these, for example
they would not be able to:
* Manage users (view users, edit users, etc.)
* View secrets for social providers
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Monday, 22 July, 2013 2:44:50 PM
Subject: Re: [keycloak-dev] configuring social providers
On 7/22/2013 9:39 AM, Marko Strukelj wrote:
>
>
> ----- Original Message -----
>> On 07/22/2013 03:24 PM, Bolesław Dawidowicz wrote:
>>> On 07/22/2013 03:13 PM, Marko Strukelj wrote:
>>>> When using Google+ SignIn or Facebook SignIn or Twitter SignIn I
>>>> always get redirected to an authorization form where now there would
>>>> say something like:
>>>>
>>>> Application _Keycloak_ wants access to your email, and a list of
>>>> friends.
>>>>
>>>> Instead of saying:
>>>>
>>>> Application _SocialDemo_ wants access to your email ...
>>>>
>>>>
>>>> Me as a user I don't know anything about Keycloak. I came to the
web
>>>> site of SocialDemo. When I see that Keycloak wants access to my
>>>> email, phishing alarms go off in my head ...
>>>
>>> Exactly...
>>
>> Also IIRC you define the level of access to user information per
>> application - and requirements may vary. Would it be possible with
>> global account?
>>
> You mean that by granting access to my list of friends when signing in via
> SocialDemo, I would be granting the same access to acme.com and all the
> apps using Keycloak? :)
> I'd say that's the case, yes.
>
You win.
You're right I'm wrong
You're the best, I'm the worst
You're good looking, I'm not very attractive...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev