Is it possible to have multiple hosted domain in Google Identity Provider ?
454 views
Skip to first unread message
bpg 168
Dec 1, 2022, 3:04:07 AM12/1/22
to Keycloak User
Hi All,
I want to whitelist 2 google domains in the "Hosted Domain" for Google Identity provider, currently I am unable to find how to do it.
I tried to comma separated values as, "domain1.com,domain2.com" it seems to not work.
I want to whitelist 2 google domains in the "Hosted Domain" for Google Identity provider, currently I am unable to find how to do it.
I tried to comma separated values as, "domain1.com,domain2.com" it seems to not work.
Maybe is this field supports regex (?) or is it no supporting multiple domains at all ()? If so what are some recommendations to go about whitelisting more than 1 domain?
Thank you.
Thank you.
Simon Levermann
Dec 1, 2022, 8:11:41 AM12/1/22
to Keycloak User
Hi,
looks like currently this isn't possible: https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java#L101-L126, the current code only sends (and verifies) the one parameter.
It should be relatively simple to fix, though:
1. When sending the parameter in the auth request (Line 101) to Google, you should send "*" (see https://developers.google.com/identity/openid-connect/openid-connect#hd-param)
2. When validating the parameter, (Line 126) check if the parameter is in the list of parameters you allowed
To get this into your setup quickly, I'd probably implement an IdentityProviderFactory that shares the ID "google" so it overwrites the builtin "google" IdP, and returns an IdentityProvider that extends the existing GoogleIdentityProvider, and just overrides createAuthorizationUrl and validateToken.
Of course it might also be a desirable feature for upstream, so a PR that provides this functionality in Keycloak itself may also be a good idea.
Best,
Simon
Reply all
Reply to author
Forward
0 new messages