This reminds me of a feature that was recently added to keycloak - "Provide an endpoint that redirect to the actual client referred to by clientId." https://issues.jboss.org/browse/KEYCLOAK-2469 Perhaps this could be used to define multi-stage redirect redirect URI - the generic redirect endpoint mentioned in the issue could be populated from the "state" parameter which would then redirect to the approproate realm / broker client. ... just thinking out loud... Cheers, Thomas 2016-04-20 10:52 GMT+02:00 Thomas Raehalme <thomas.raehalme(a)aitiofinland.com

Hi all, “# The Google client should be configured with name, contact details, etc.. that is linked to the realm the user is logging in to, not to all tenants” Partially true, this might be a problem for some parties with tenant-specific details. But our customers (tenants) buy a product X, which they can use, but for all tenants it’s called X so the contact information etc can be the same for all tenants. “# You have limited API calls allowed to Google, go beyond this and you have to pay. Tenants should configure their own Google provider.” We don’t want to bother the client with setting stuff up. We’ll pay the costs and via microtransactions for login or user of our product the client indirectly pays for the API calls. “# When users agree to share their profile information they should do so on a per-realm (per-tenant) not to all tenants. Think about it, if you do what you want users would effectively accept all tenants of your SaaS access to their profile. That's bad..” Might be that I misunderstand it, but as far as I can see, the url is still the same, only differently formatted. Realm is still in the callback url, only now in the state parameter instead of the urlpath. Considering the above is no short-term solution (and maybe not even a long term), I’m looking for an alternative. I’m not familiar enough with Keycloak to rule out inheritance. Is there such a thing as inheritance of realms/identity providers? Is there maybe a way identity providers can be inherited from another realm or is there no form of inheritance like this currently possible in Keycloak? From: Stian Thorgersen [mailto:sthorger@redhat.com] Sent: woensdag 20 april 2016 11:55 To: Martijn Claus <m.claus(a)smile.nl&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Google as identity provider I don't think you've thought this through completely. If you create your own setting in Google to allow different tenants to login then you're sharing the same Google client for all tenants, which is bad for several reasons, including: # The Google client should be configured with name, contact details, etc.. that is linked to the realm the user is logging in to, not to all tenants # You have limited API calls allowed to Google, go beyond this and you have to pay. Tenants should configure their own Google provider. # When users agree to share their profile information they should do so on a per-realm (per-tenant) not to all tenants. Think about it, if you do what you want users would effectively accept all tenants of your SaaS access to their profile. That's bad.. For those reasons we won't introduce the ability to share identity provider configuration or have a shared callback. On 20 April 2016 at 10:37, Martijn Claus <m.claus@smile.nl<mailto:m.claus@smile.nl>> wrote: Hello, I’ve got a question regarding the identity provider google (and maybe others). We are building a multi-tenant saas environment where the tenants are dynamically added (which I think is a valid usecase). We use the keycloak admin api to create a realm per tenant. We want to use (amongst others) the google identity provider. For this you need to set up the callback url in the google api client. The problem is that the callback url is different for each realm and Google does not allow wildcards in redirect urls. The redirect url format now: http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint<http:... I don’t want to dynamically add redirect urls to the google api account. Google has a solution for this, the client (ie KeyCloak) should use the “state” queryparameter to add the realm. But this is a change Keycloak needs to make imo. Someone with a related problem (not with keycloak) http://stackoverflow.com/questions/13652062/subdomain-in-google-console-r... Any thoughts on this problem? PS: I can imagine this holds also true for other identity providers, but Google was the first I tried. _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user

On 20 April 2016 at 14:14, Martijn Claus <m.claus(a)smile.nl&gt; wrote: Well, you have 3 issues here: # Sharing identity provider config - you could do this through admin endpoints # Including realm name in state param - you'll have to create your own custom identity providers for this # Adding a single callback endpoint - you can use realm resource spi introduced in 1.9.2 for this We're not going to add support for any of those in KC itself, not in the long run either (for the reasons I listed previously), but you can achieve it on your own.