[keycloak-dev] configuring social providers

Marko Strukelj mstrukel at redhat.com
Mon Jul 22 10:15:01 EDT 2013


I don't exactly remember where I saw this but it was with one of existing identity broker providers ... When you set up application you specify what your application needs i.e.

- Access Email
- Access List of Friends
- Post to wall 
- Access Documents
- Access Location

You just click checkboxes, and broker requires social provider specific appropriate access profiles.

If all the interaction with social graph and social service specific APIs would be proxied through Keycloak APIs then Keycloak can limit access based on application profile, regardless if another application triggered user to grant a greater access to Keycloak then one specific application requires.

Also the phishing alarm when seeing Keycloak mentioned in authorization form can be alleviated by adding a Powered by Keycloak badge to SignIn page of the app, or mentioning Keycloak some other way.


----- Original Message -----
> +1.
> 
> It also hit me during this conversation that Bill is quite right around
> the idea he pushed for - just missed some constraints.
> 
> Making it easier to use OOTB sounds very good. It just needs to be more
> configurable then that.
> 
> On 07/22/2013 03:56 PM, Stian Thorgersen wrote:
> > Actually I like the idea of having flexibility on this, initially I
> > thought you where just plain wrong ;)
> >
> > If it's possible to create one or more social provider configurations
> > separately to an application, then when creating an application
> > choose which social provider config to use, we get best of both IMO.
> >
> > This also means that someone setting up a Keycloak server could
> > create a global social provider config, which is then used by all
> > applications. If on top of that we can select who can access what
> > realms, social provider configurations and applications you can make
> > these public or shared with a set of users. Also if we have
> > fine-grained authz we can define that the social provider config can
> > be used and key viewed by all, but only admins can view the secret.
> >
> > This also means that when setting up the online Keycloak server there
> > would be a (sample) social provider config available to get you
> > started with initially. Once you want more control and/or let your
> > users get more control you can define your own social provider
> > config.
> >
> > So there would be 3 things that users can create:
> >
> > * Realms * Social config * Applications
> >
> > An application has one realm, and zero or 1 social configs.
> >
> > In Keycloak online we could have a default public realm and social
> > config which users can use initially. Standard users would obviously
> > have limited access to these, for example they would not be able to:
> >
> > * Manage users (view users, edit users, etc.) * View secrets for
> > social providers
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com> To:
> >> keycloak-dev at lists.jboss.org Sent: Monday, 22 July, 2013 2:44:50
> >> PM Subject: Re: [keycloak-dev] configuring social providers
> >>
> >>
> >>
> >> On 7/22/2013 9:39 AM, Marko Strukelj wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> On 07/22/2013 03:24 PM, Bolesław Dawidowicz wrote:
> >>>>> On 07/22/2013 03:13 PM, Marko Strukelj wrote:
> >>>>>> When using Google+ SignIn or Facebook SignIn or Twitter
> >>>>>> SignIn I always get redirected to an authorization form
> >>>>>> where now there would say something like:
> >>>>>>
> >>>>>> Application _Keycloak_ wants access to your email, and a
> >>>>>> list of friends.
> >>>>>>
> >>>>>> Instead of saying:
> >>>>>>
> >>>>>> Application _SocialDemo_ wants access to your email ...
> >>>>>>
> >>>>>>
> >>>>>> Me as a user I don't know anything about Keycloak. I came
> >>>>>> to the web site of SocialDemo. When I see that Keycloak
> >>>>>> wants access to my email, phishing alarms go off in my head
> >>>>>> ...
> >>>>>
> >>>>> Exactly...
> >>>>
> >>>> Also IIRC you define the level of access to user information
> >>>> per application - and requirements may vary. Would it be
> >>>> possible with global account?
> >>>>
> >>> You mean that by granting access to my list of friends when
> >>> signing in via SocialDemo, I would be granting the same access to
> >>> acme.com and all the apps using Keycloak? :) I'd say that's the
> >>> case, yes.
> >>>
> >>
> >> You win.
> >>
> >> You're right I'm wrong You're the best, I'm the worst You're good
> >> looking, I'm not very attractive...
> >>
> >> -- Bill Burke JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________ keycloak-dev
> >> mailing list keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> > _______________________________________________ keycloak-dev mailing
> > list keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 



More information about the keycloak-dev mailing list