[keycloak-dev] configuring social providers

Bolesław Dawidowicz bdawidow at redhat.com
Mon Jul 22 10:01:22 EDT 2013


+1.

It also hit me during this conversation that Bill is quite right around 
the idea he pushed for - just missed some constraints.

Making it easier to use OOTB sounds very good. It just needs to be more 
configurable then that.

On 07/22/2013 03:56 PM, Stian Thorgersen wrote:
> Actually I like the idea of having flexibility on this, initially I
> thought you where just plain wrong ;)
>
> If it's possible to create one or more social provider configurations
> separately to an application, then when creating an application
> choose which social provider config to use, we get best of both IMO.
>
> This also means that someone setting up a Keycloak server could
> create a global social provider config, which is then used by all
> applications. If on top of that we can select who can access what
> realms, social provider configurations and applications you can make
> these public or shared with a set of users. Also if we have
> fine-grained authz we can define that the social provider config can
> be used and key viewed by all, but only admins can view the secret.
>
> This also means that when setting up the online Keycloak server there
> would be a (sample) social provider config available to get you
> started with initially. Once you want more control and/or let your
> users get more control you can define your own social provider
> config.
>
> So there would be 3 things that users can create:
>
> * Realms * Social config * Applications
>
> An application has one realm, and zero or 1 social configs.
>
> In Keycloak online we could have a default public realm and social
> config which users can use initially. Standard users would obviously
> have limited access to these, for example they would not be able to:
>
> * Manage users (view users, edit users, etc.) * View secrets for
> social providers
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com> To:
>> keycloak-dev at lists.jboss.org Sent: Monday, 22 July, 2013 2:44:50
>> PM Subject: Re: [keycloak-dev] configuring social providers
>>
>>
>>
>> On 7/22/2013 9:39 AM, Marko Strukelj wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> On 07/22/2013 03:24 PM, Bolesław Dawidowicz wrote:
>>>>> On 07/22/2013 03:13 PM, Marko Strukelj wrote:
>>>>>> When using Google+ SignIn or Facebook SignIn or Twitter
>>>>>> SignIn I always get redirected to an authorization form
>>>>>> where now there would say something like:
>>>>>>
>>>>>> Application _Keycloak_ wants access to your email, and a
>>>>>> list of friends.
>>>>>>
>>>>>> Instead of saying:
>>>>>>
>>>>>> Application _SocialDemo_ wants access to your email ...
>>>>>>
>>>>>>
>>>>>> Me as a user I don't know anything about Keycloak. I came
>>>>>> to the web site of SocialDemo. When I see that Keycloak
>>>>>> wants access to my email, phishing alarms go off in my head
>>>>>> ...
>>>>>
>>>>> Exactly...
>>>>
>>>> Also IIRC you define the level of access to user information
>>>> per application - and requirements may vary. Would it be
>>>> possible with global account?
>>>>
>>> You mean that by granting access to my list of friends when
>>> signing in via SocialDemo, I would be granting the same access to
>>> acme.com and all the apps using Keycloak? :) I'd say that's the
>>> case, yes.
>>>
>>
>> You win.
>>
>> You're right I'm wrong You're the best, I'm the worst You're good
>> looking, I'm not very attractive...
>>
>> -- Bill Burke JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________ keycloak-dev
>> mailing list keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
> _______________________________________________ keycloak-dev mailing
> list keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



More information about the keycloak-dev mailing list