[keycloak-dev] configuring social providers

Stian Thorgersen stian at redhat.com
Mon Jul 22 10:24:22 EDT 2013



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 22 July, 2013 3:14:29 PM
> Subject: Re: [keycloak-dev] configuring social providers
> 
> 
> On 7/22/2013 9:56 AM, Stian Thorgersen wrote:
> > Actually I like the idea of having flexibility on this, initially I thought
> > you where just plain wrong ;)
> >
> > If it's possible to create one or more social provider configurations
> > separately to an application, then when creating an application choose
> > which social provider config to use, we get best of both IMO.
> >
> > This also means that someone setting up a Keycloak server could create a
> > global social provider config, which is then used by all applications. If
> > on top of that we can select who can access what realms, social provider
> > configurations and applications you can make these public or shared with a
> > set of users. Also if we have fine-grained authz we can define that the
> > social provider config can be used and key viewed by all, but only admins
> > can view the secret.
> >
> > This also means that when setting up the online Keycloak server there would
> > be a (sample) social provider config available to get you started with
> > initially. Once you want more control and/or let your users get more
> > control you can define your own social provider config.
> >
> > So there would be 3 things that users can create:
> >
> > * Realms
> > * Social config
> > * Applications
> >
> > An application has one realm, and zero or 1 social configs.
> >
> > In Keycloak online we could have a default public realm and social config
> > which users can use initially. Standard users would obviously have limited
> > access to these, for example they would not be able to:
> >
> > * Manage users (view users, edit users, etc.)
> > * View secrets for social providers
> >
> 
> 
> Hmm, I guess for the SaaS, if you use the global Keycloak account, then
> Keycloak will only ask for the minimalist of information from Google
> (email?).  Your application will not be able to ask for additional
> scopes.  For additional scopes, you'd need to configure your own
> account(s).  Is that what you're saying?

I think you would set the additional scopes in the social provider config through the Keycloak admin. This would require access to be able to modify that particular social provider config.

> 
> BTW, Why would we want to disable management of users in the default
> case?  All we'd need from google is something to identify the user
> (email) so that additional application permissions could be attached to
> that user via the keycloak admin ui later on.

This is in the case that the application uses the default public realm. Some random developer that logs on to keycloak.com should obviously not have full access to all users in this realm, but I see no problem in that developer being able to create an application that can authenticate users with this realm. For an internal keycloak server that would be different, in this case there could be a default realm where internal developers have full access to a realm, including creating applications that have full access to the realm.

> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list