[keycloak-user] Google as identity provider
Juraci Paixão Kröhling
juraci at kroehling.de
Wed Apr 20 08:32:12 EDT 2016
On 20.04.2016 14:14, Martijn Claus wrote:
> “# When users agree to share their profile information they should do so
> on a per-realm (per-tenant) not to all tenants. Think about it, if you
> do what you want users would effectively accept all tenants of your SaaS
> access to their profile. That's bad..”
>
> Might be that I misunderstand it, but as far as I can see, the url is
> still the same, only differently formatted. Realm is still in the
> callback url, only now in the state parameter instead of the urlpath.
As an user on the realm "foo", I have not given permission to tenant
"bar" to use my Google information.
> Considering the above is no short-term solution (and maybe not even a
> long term), I’m looking for an alternative. I’m not familiar enough with
> Keycloak to rule out inheritance. Is there such a thing as inheritance
> of realms/identity providers?
I think Stian's arguments are very powerful and I would certainly
re-consider. If you do decide to go with multiple tenants on a single
shared Google API account, you could put a nginx/httpd in front of your
Keycloak server and perform a URL rewrite:
http://.../?state=foo_realm -> http://.../auth/realms/foo_realm/...
- Juca.
More information about the keycloak-user
mailing list