Hello,

 

I’ve got a question regarding the identity provider google (and maybe others). We are building a multi-tenant saas environment where the tenants are dynamically added (which I think is a valid usecase). We use the keycloak admin api to create a realm per tenant. We want to use (amongst others) the google identity provider. For this you need to set up the callback url in the google api client. The problem is that the callback url is different for each realm and Google does not allow wildcards in redirect urls.

 

The redirect url format now:

http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint

 

I don’t want to dynamically add redirect urls to the google api account. Google has a solution for this, the client (ie KeyCloak) should use the “state” queryparameter to add the realm. But this is a change Keycloak needs to make imo.

 

Someone with a related problem (not with keycloak)

http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166

 

Any thoughts on this problem?

 

PS: I can imagine this holds also true for other identity providers, but Google was the first I tried.