[keycloak-dev] configuring social providers

Bolesław Dawidowicz bdawidow at redhat.com
Mon Jul 22 07:48:51 EDT 2013


The whole concept of the broker for social stuff is built around two points:

a) Application developer doesn't care about configuration of G+, 
twitter, FB, linkedIn and etc. at the app code level. He just does it 
single time in the management console for his app(s). Then he just 
interacts with broke/keycloak APIs. If there is new social provider 
added and configured via management console - it just appears in the app 
login screen. From application code perspective this is pretty much 
transparent. Important point is that those social services cannot be 
preconfigured as you cannot share key secret publicly

b) Application User doesn't need to be aware about about existence of 
keycloak/broker. From the user perspective he is interacting only with 
the app and social providers (g+, twitter, etc.).

On 07/22/2013 01:35 PM, Bill Burke wrote:
> This is all stuff keycloak takes care of.  Once a user is logged into
> keycloak, they are remembered (until cookie timeout or a logout) and
> there's no need to go back to Google.  The same thing goes with "Foo is
> requesting permission..."  This is all something Keycloak will take care
> of and must take care of anyways as Google only manages its own
> applications.
>
> So, again, I don't see why you couldn't use a global keycloak account.
>
> On 7/22/2013 4:44 AM, Stian Thorgersen wrote:
>> A key/secret in Google (and same for Facebook, Twitter, etc.) maps onto the configuration for a single application. First time a user logs in to an application through Google (with or without Keycloak) they expect to see a message "Foo is requesting permission to ...". Second time they log in to the same application they are just redirected back to the application and automatically logged in (if they are already logged in to Google that is). If they try to log in to a different application they expect the message "Bar is requesting permission to ...". Also in their Google account they can list all the applications that have access to their account, including what information they can access. They can also revoke access to individual applications.
>>
>> This requires a separate configuration for each application for each enabled social provider. Hence why in IdentityBroker there's a list of social providers, including the key/secret, for each individual application. The plan was that further down the line it would be possible to share social provider configurations between a group of related applications. Maybe "a group of related applications" maps onto a realm, in which case we could have this configured on a realm instead of on individual applications.
>>
>> In the end it boils down to on what level should users be able to accept/revoke access to their social accounts, and what details are shown on their social account about the application. In my opinion this is definitively not a server wide setting. Also it's not possible to automatically configure this as it has to be linked to some ones social account (to use login with Google+ you have to have a Google+ account).
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Saturday, 20 July, 2013 2:45:17 AM
>>> Subject: [keycloak-dev] configuring social providers
>>>
>>> In looking at your demo, is there any reason you need to define the
>>> metadata for the social provider?  Can't you either
>>>
>>> a) Preconfigure Keycloak server with Twitter, Google+ account?
>>> b) Automatically configure the social provider without user input.
>>>
>>> Since Keycloak is already a broker, why does a user need to input any of
>>> that metadata?
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>



More information about the keycloak-dev mailing list