Re: [keycloak-user] Google as identity provider
On 20.04.2016 14:14, Martijn Claus wrote:
“# When users agree to share their profile information they should do
so
on a per-realm (per-tenant) not to all tenants. Think about it, if you
do what you want users would effectively accept all tenants of your SaaS
access to their profile. That's bad..”
Might be that I misunderstand it, but as far as I can see, the url is
still the same, only differently formatted. Realm is still in the
callback url, only now in the state parameter instead of the urlpath.
As an user on the realm "foo", I have not given permission to tenant
"bar" to use my Google information.
Considering the above is no short-term solution (and maybe not even
a
long term), I’m looking for an alternative. I’m not familiar enough with
Keycloak to rule out inheritance. Is there such a thing as inheritance
of realms/identity providers?
I think Stian's arguments are very powerful and I would certainly
re-consider. If you do decide to go with multiple tenants on a single
shared Google API account, you could put a nginx/httpd in front of your
Keycloak server and perform a URL rewrite:
http://.../?state=foo_realm -> http://.../auth/realms/foo_realm/...
- Juca.