[keycloak-dev] configuring social providers

Stian Thorgersen stian at redhat.com
Mon Jul 22 09:56:09 EDT 2013


Actually I like the idea of having flexibility on this, initially I thought you where just plain wrong ;)

If it's possible to create one or more social provider configurations separately to an application, then when creating an application choose which social provider config to use, we get best of both IMO.

This also means that someone setting up a Keycloak server could create a global social provider config, which is then used by all applications. If on top of that we can select who can access what realms, social provider configurations and applications you can make these public or shared with a set of users. Also if we have fine-grained authz we can define that the social provider config can be used and key viewed by all, but only admins can view the secret.

This also means that when setting up the online Keycloak server there would be a (sample) social provider config available to get you started with initially. Once you want more control and/or let your users get more control you can define your own social provider config.

So there would be 3 things that users can create:

* Realms
* Social config
* Applications

An application has one realm, and zero or 1 social configs.

In Keycloak online we could have a default public realm and social config which users can use initially. Standard users would obviously have limited access to these, for example they would not be able to:

* Manage users (view users, edit users, etc.)
* View secrets for social providers

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 22 July, 2013 2:44:50 PM
> Subject: Re: [keycloak-dev] configuring social providers
> 
> 
> 
> On 7/22/2013 9:39 AM, Marko Strukelj wrote:
> >
> >
> > ----- Original Message -----
> >> On 07/22/2013 03:24 PM, Bolesław Dawidowicz wrote:
> >>> On 07/22/2013 03:13 PM, Marko Strukelj wrote:
> >>>> When using Google+ SignIn or Facebook SignIn or Twitter SignIn I
> >>>> always get redirected to an authorization form where now there would
> >>>> say something like:
> >>>>
> >>>> Application _Keycloak_ wants access to your email, and a list of
> >>>> friends.
> >>>>
> >>>> Instead of saying:
> >>>>
> >>>> Application _SocialDemo_ wants access to your email ...
> >>>>
> >>>>
> >>>> Me as a user I don't know anything about Keycloak. I came to the web
> >>>> site of SocialDemo. When I see that Keycloak wants access to my
> >>>> email, phishing alarms go off in my head ...
> >>>
> >>> Exactly...
> >>
> >> Also IIRC you define the level of access to user information per
> >> application - and requirements may vary. Would it be possible with
> >> global account?
> >>
> > You mean that by granting access to my list of friends when signing in via
> > SocialDemo, I would be granting the same access to acme.com and all the
> > apps using Keycloak? :)
> > I'd say that's the case, yes.
> >
> 
> You win.
> 
> You're right I'm wrong
> You're the best, I'm the worst
> You're good looking, I'm not very attractive...
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 



More information about the keycloak-dev mailing list