[keycloak-user] Google as identity provider
Stian Thorgersen
sthorger at redhat.com
Wed Apr 20 05:55:22 EDT 2016
I don't think you've thought this through completely.
If you create your own setting in Google to allow different tenants to
login then you're sharing the same Google client for all tenants, which is
bad for several reasons, including:
# The Google client should be configured with name, contact details, etc..
that is linked to the realm the user is logging in to, not to all tenants
# You have limited API calls allowed to Google, go beyond this and you have
to pay. Tenants should configure their own Google provider.
# When users agree to share their profile information they should do so on
a per-realm (per-tenant) not to all tenants. Think about it, if you do what
you want users would effectively accept all tenants of your SaaS access to
their profile. That's bad..
For those reasons we won't introduce the ability to share identity provider
configuration or have a shared callback.
On 20 April 2016 at 10:37, Martijn Claus <m.claus at smile.nl> wrote:
> Hello,
>
>
>
> I’ve got a question regarding the identity provider google (and maybe
> others). We are building a multi-tenant saas environment where the tenants
> are dynamically added (which I think is a valid usecase). We use the
> keycloak admin api to create a realm per tenant. We want to use (amongst
> others) the google identity provider. For this you need to set up the
> callback url in the google api client. The problem is that the callback url
> is different for each realm and *Google does not allow wildcards in
> redirect urls.*
>
>
>
> The redirect url format now:
>
> http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint
>
>
>
> I don’t want to dynamically add redirect urls to the google api account.
> Google has a solution for this, the client (ie KeyCloak) should use the
> “state” queryparameter to add the realm. But this is a change Keycloak
> needs to make imo.
>
>
>
> Someone with a related problem (not with keycloak)
>
>
> http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166
>
>
>
> Any thoughts on this problem?
>
>
>
> PS: I can imagine this holds also true for other identity providers, but
> Google was the first I tried.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/82d867a6/attachment.html
More information about the keycloak-user
mailing list