I second all of Travis' suggestions and ideas. We currently use a very well known
commercial product that doesn't support the below feature and hence are looking at
other options. Even we just need the capability to customize the themes for each client
application that includes password reset, multi factor authentication etc. Moreover,
depending upon the division and region, type of application (internet or intranet), we
will have to display additional text (legal requirements) on the login screens.
Ideally we should be able to create custom templates upfront and make them available
during the client registration. While most of the client applications would use the
default login template, a few applications would select different login templates but the
underlying authentication, single signon realm etc will remain the same.
From: Travis De Silva <traviskds(a)gmail.com>
To: stian(a)redhat.com
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Sent: Monday, January 4, 2016 8:25 AM
Subject: Re: [keycloak-user] Different theme for each client
HI Stian,
Adding SSO zones just to address the theming issue looks a bit overkill to me as it will
eventually come down to doing some theming at a level below the realm. I was going on the
basis that if theming is not set at a client level, then it will default to the realm
level theming which is basically your SSO enabled zone.
Also my other point was with regard to SaaS based applications where we have a backoffice
system which is themed as per our SaaS product but the consumer facing front end needs to
be themed to be aligned with the customer's web site. In this case, we cannot go with
what KeyCloak has at present. What I am doing is as suggested by Bill sometime back,
adding "if/else" statements into the freemarker templates and based on the
client id loading different freemarker templates which is not ideal but does the job.
In any case, since what we are discussing is in general edge cases, Therefore instead of
complicating the core KeyCloak platform, why don't you just expose the various
links/flows that is currently available in the login process (forgot password/reset
credentials, required actions (update password, verify email, configure OTP, etc.), user
account mgmt, registration, social login etc. Then we are still using the core of keycloak
but for the frontend themes/UI, we use our own.
I also haven't explored the Login SPI which as per the KeyCloak docs which says
"The Login SPI allows implementing the login forms using whatever web framework or
templating engine you want". Wonder if this will give us what we are after.
CheersTravis
On Mon, 4 Jan 2016 at 22:27 Stian Thorgersen <sthorger(a)redhat.com> wrote:
I strongly disagree. With Keycloak you are logging in to a SSO realm, not an individual
application. With that in mind it's important that the login screen reflects that.
Users need to know the difference as it's an important distinction. It just
doesn't make any sense that I'm logged-in to the SSO with a login screen that is
themed to look like the login screen for an individual application.
Adding an option on clients to set the theme just doesn't make any sense. If we added
the option to create SSO "zones" or disable SSO for individual applications then
it would make sense to be able to set theme on a per-zone or apps that doesn't have
SSO enabled.
On 31 December 2015 at 09:46, Travis De Silva <traviskds(a)gmail.com> wrote:
Hi,
My vote is to provide this feature at a client level as per the original request.
I think realms should be used for completely different domains when we want to isolate
users etc. Should not try and use it for something that it was not intended in the
design.
The reason why you might need theming at client level is iif you really think that clients
which are essentially different applications most of the time and each of these
applications might have different look and feel themes (either due to different
development teams or vendors building different applications).
So when someone logins via KeyCloak, its true that we are logging into a realm but for an
end user, it is really logging into a application and there is a need for the login page
theme to look similar to the application look and feel.
Also I have a use case where I have a back office application that requires login for
admin users and then I have the front office of this application where in addition to the
admin users, you also can have other users as well who can self register and login to the
front end which is a consumer facing site.
How I handle this is by having two clients in the same realm. This works fine if you are
happy with the same backend login theme to be there for the consumer facing frontend. But
we cannot do that as the front end is a consumer facing SaaS site, so each front end needs
to have the client's website theme. This becomes very hard to do if we don't have
theming at a client level.
I came across this post from Bill a few months
ago http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
I am thinking to make use of the client variable that is available in login.ftl and load
different freemarker fragments that will then theme it differently for each client. As
mentioned by Bill, having many if conditions might not be ideal but it might meet the
requirement.
CheersTravis
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user