[keycloak-dev] configuring social providers

Bill Burke bburke at redhat.com
Mon Jul 22 08:59:52 EDT 2013



On 7/22/2013 8:28 AM, Bolesław Dawidowicz wrote:
> On 07/22/2013 02:12 PM, Bill Burke wrote:
>>
>>
>> On 7/22/2013 7:48 AM, Bolesław Dawidowicz wrote:
>>> The whole concept of the broker for social stuff is built around two points:
>>>
>>> a) Application developer doesn't care about configuration of G+,
>>> twitter, FB, linkedIn and etc. at the app code level. He just does it
>>> single time in the management console for his app(s). Then he just
>>> interacts with broke/keycloak APIs. If there is new social provider
>>> added and configured via management console - it just appears in the app
>>> login screen. From application code perspective this is pretty much
>>> transparent. Important point is that those social services cannot be
>>> preconfigured as you cannot share key secret publicly
>>>
>>
>> Nothing you have said has convinced me you CAN'T use a global keycloak
>> google account.  Login will be a double OAuth invocation.  Redirects
>> will be Application->Keycloak->Google->Keycloak->Application.
>>
>> This is a usability issue.  If we go the IdentityBroker route, a
>> keycloak user would have to register and create a social account for
>> each social provider they want to enable.  If a new social becomes
>> popular, they won't automatically get this new provider, they will again
>> have to register for an account and configure keycloak.
>
> Yes but then you just do it once for the whole set of your applications.
> 3 clicks in the management UI, filling in 3 text forms. Then your N
> applications that are configured with KC/Broker automagically obtain
> support for this new social provider

Again, this is a huge usability issue.  A lot of time consuming 
configuration to enable social media login.

>>
>> I'd like to see just one checkbox "Enable Social Login".  When the admin
>> checks this, they get everything we can integrate with or will be able
>> to integrate with.  Simple easy....
>
> Doesn't you need to register KeyCloak with Google first and obtain
> secret that cannot be share therefore cannot be configured in KC OOTB?

What is OOTB? Out of the box?

I'm not understanding you.  Maybe we're misunderstanding each other? 
The Keycloak SaaS would be set up and installed by us, Red Hat.  So we 
would register Keycloak with Google/Twitter/etc and pre-configure 
Keycloak SaaS when we launch it.

The OOTB, downloadable appliance would require the admin to set up the 
global social accounts and configure the appliance before starting it up.

But what I don't want is that each Realm created on a Keycloak server to 
have to setup these social accounts.

> Our point is that you cannot have global Google/Twitter/etc. KeyCloak
> developer account provided and configured by default - it would violate
> certain set of terms and conditions defined by those providers.
>

You need to be more specific: These providers have terms and conditions 
that prevent third parties from becoming a *true* broker?  And they will 
disable Keycloak's account?

For example, Googles terms and services says nothing that prevents us 
from having a global Keycloak account:

http://www.google.com/intl/en/policies/terms


>>
>>> b) Application User doesn't need to be aware about about existence of
>>> keycloak/broker. From the user perspective he is interacting only with
>>> the app and social providers (g+, twitter, etc.).
>>>
>>
>> Incorrect.  For the OAuth case, Keycloak will be specifying messages
>> like "Application XXX is requesting permission to access your
>> inventory."  Google only does OAuth for Google apps, AFAICT.
>>
>> For single-sign-on, users will be redirected to Keycloak.  If there is a
>> keycloak session cookie set, then no social login is required, but the
>> 2nd application the user visits still needs to obtain a token.
>
> I think we are a bit lost in the conversation and are talking about a
> bit different things and flows. Did you try to follow the Getting
> Started for the POC that Stian shared?
>

I thought you stated that users won't be aware of keycloak and will just 
see the keycloak login screen and google login screen.  This is 
incorrect. Each keycloak realm will have its own notions of Oauth scope 
and "acting on behalf of" beyond what Google et. al. can provide.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list