[keycloak-user] Google as identity provider

Martijn Claus m.claus at smile.nl
Wed Apr 20 08:14:29 EDT 2016


Hi all,

“# The Google client should be configured with name, contact details, etc.. that is linked to the realm the user is logging in to, not to all tenants”
Partially true, this might be a problem for some parties with tenant-specific details. But our customers (tenants) buy a product X, which they can use, but for all tenants it’s called X so the contact information etc can be the same for all tenants.
“# You have limited API calls allowed to Google, go beyond this and you have to pay. Tenants should configure their own Google provider.”
We don’t want to bother the client with setting stuff up. We’ll pay the costs and via microtransactions for login or user of our product the client indirectly pays for the API calls.
“# When users agree to share their profile information they should do so on a per-realm (per-tenant) not to all tenants. Think about it, if you do what you want users would effectively accept all tenants of your SaaS access to their profile. That's bad..”
Might be that I misunderstand it, but as far as I can see, the url is still the same, only differently formatted. Realm is still in the callback url, only now in the state parameter instead of the urlpath.

Considering the above is no short-term solution (and maybe not even a long term), I’m looking for an alternative. I’m not familiar enough with Keycloak to rule out inheritance. Is there such a thing as inheritance of realms/identity providers?
Is there maybe a way identity providers can be inherited from another realm or is there no form of inheritance like this currently possible in Keycloak?

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: woensdag 20 april 2016 11:55
To: Martijn Claus <m.claus at smile.nl>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Google as identity provider

I don't think you've thought this through completely.

If you create your own setting in Google to allow different tenants to login then you're sharing the same Google client for all tenants, which is bad for several reasons, including:
# The Google client should be configured with name, contact details, etc.. that is linked to the realm the user is logging in to, not to all tenants
# You have limited API calls allowed to Google, go beyond this and you have to pay. Tenants should configure their own Google provider.
# When users agree to share their profile information they should do so on a per-realm (per-tenant) not to all tenants. Think about it, if you do what you want users would effectively accept all tenants of your SaaS access to their profile. That's bad..

For those reasons we won't introduce the ability to share identity provider configuration or have a shared callback.

On 20 April 2016 at 10:37, Martijn Claus <m.claus at smile.nl<mailto:m.claus at smile.nl>> wrote:
Hello,

I’ve got a question regarding the identity provider google (and maybe others). We are building a multi-tenant saas environment where the tenants are dynamically added (which I think is a valid usecase). We use the keycloak admin api to create a realm per tenant. We want to use (amongst others) the google identity provider. For this you need to set up the callback url in the google api client. The problem is that the callback url is different for each realm and Google does not allow wildcards in redirect urls.

The redirect url format now:
http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint<http://ourserver:8080/auth/realms/%7brealm%7d/broker/google/endpoint>

I don’t want to dynamically add redirect urls to the google api account. Google has a solution for this, the client (ie KeyCloak) should use the “state” queryparameter to add the realm. But this is a change Keycloak needs to make imo.

Someone with a related problem (not with keycloak)
http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166

Any thoughts on this problem?

PS: I can imagine this holds also true for other identity providers, but Google was the first I tried.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/999309d6/attachment.html 


More information about the keycloak-user mailing list