[keycloak-user] Google as identity provider

Wed Apr 20 08:45:57 EDT 2016

On 20 April 2016 at 14:14, Martijn Claus <m.claus at smile.nl> wrote:

> Hi all,
>
>
>
> “# The Google client should be configured with name, contact details,
> etc.. that is linked to the realm the user is logging in to, not to all
> tenants”
>
> Partially true, this might be a problem for some parties with
> tenant-specific details. But our customers (tenants) buy a product X, which
> they can use, but for all tenants it’s called X so the contact information
> etc can be the same for all tenants.
>
> “# You have limited API calls allowed to Google, go beyond this and you
> have to pay. Tenants should configure their own Google provider.”
>
> We don’t want to bother the client with setting stuff up. We’ll pay the
> costs and via microtransactions for login or user of our product the client
> indirectly pays for the API calls.
>
> “# When users agree to share their profile information they should do so
> on a per-realm (per-tenant) not to all tenants. Think about it, if you do
> what you want users would effectively accept all tenants of your SaaS
> access to their profile. That's bad..”
>
> Might be that I misunderstand it, but as far as I can see, the url is
> still the same, only differently formatted. Realm is still in the callback
> url, only now in the state parameter instead of the urlpath.
>
>
>
> Considering the above is no short-term solution (and maybe not even a long
> term), I’m looking for an alternative. I’m not familiar enough with
> Keycloak to rule out inheritance. Is there such a thing as inheritance of
> realms/identity providers?
>
> Is there maybe a way identity providers can be inherited from another
> realm or is there no form of inheritance like this currently possible in
> Keycloak?
>

Well, you have 3 issues here:

# Sharing identity provider config - you could do this through admin
endpoints
# Including realm name in state param - you'll have to create your own
custom identity providers for this
# Adding a single callback endpoint - you can use realm resource spi
introduced in 1.9.2 for this

We're not going to add support for any of those in KC itself, not in the
long run either (for the reasons I listed previously), but you can achieve
it on your own.

>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* woensdag 20 april 2016 11:55
> *To:* Martijn Claus <m.claus at smile.nl>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Google as identity provider
>
>
>
> I don't think you've thought this through completely.
>
>
>
> If you create your own setting in Google to allow different tenants to
> login then you're sharing the same Google client for all tenants, which is
> bad for several reasons, including:
>
> # The Google client should be configured with name, contact details, etc..
> that is linked to the realm the user is logging in to, not to all tenants
>
> # You have limited API calls allowed to Google, go beyond this and you
> have to pay. Tenants should configure their own Google provider.
>
> # When users agree to share their profile information they should do so on
> a per-realm (per-tenant) not to all tenants. Think about it, if you do what
> you want users would effectively accept all tenants of your SaaS access to
> their profile. That's bad..
>
>
>
> For those reasons we won't introduce the ability to share identity
> provider configuration or have a shared callback.
>
>
>
> On 20 April 2016 at 10:37, Martijn Claus <m.claus at smile.nl> wrote:
>
> Hello,
>
>
>
> I’ve got a question regarding the identity provider google (and maybe
> others). We are building a multi-tenant saas environment where the tenants
> are dynamically added (which I think is a valid usecase). We use the
> keycloak admin api to create a realm per tenant. We want to use (amongst
> others) the google identity provider. For this you need to set up the
> callback url in the google api client. The problem is that the callback url
> is different for each realm and *Google does not allow wildcards in
> redirect urls.*
>
>
>
> The redirect url format now:
>
> http://ourserver:8080/auth/realms/{realm}/broker/google/endpoint
>
>
>
> I don’t want to dynamically add redirect urls to the google api account.
> Google has a solution for this, the client (ie KeyCloak) should use the
> “state” queryparameter to add the realm. But this is a change Keycloak
> needs to make imo.
>
>
>
> Someone with a related problem (not with keycloak)
>
>
> http://stackoverflow.com/questions/13652062/subdomain-in-google-console-redirect-uris/13769166#13769166
>
>
>
> Any thoughts on this problem?
>
>
>
> PS: I can imagine this holds also true for other identity providers, but
> Google was the first I tried.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160420/c552a42d/attachment.html 