I am implementing multi-tenancy in the project. For every tenant, I will have a separate realm and in turn, have a separate Redirect URI.
For this to work, I need to configure the same URL in “Authorized Redirect URLs” in Google Cloud Platform Console.
To ensure KeyCloak’s IDP Redirect URI and Google console’s configured Authorized URL match, there are 2 possible options
Dynamically(programmatically) configure Authorized Redirect URL in Google console when new tenant/realm is created. As far as I know, there is no way to dynamically set this authorized redirect URL. So this doesn’t look like a viable option.
Configure custom redirect URI in KeyCloak. However, Keycloak doesn’t seem to allow changing Redirect URI for Identity Provider.
Any solution, workaround or hints would be appreciated. I feel this is not a unique problem that I am solving. It must be already done and solved by many.
It would be much easier if Google identify accept wildcard in redirect URLs, allowing matching values mentioned in your example. Unfortunately, that’s not the case.
However, the first option you mentioned is still possible : you can create/add a custom event listener that listens for the event type “realm added” and dynamically register the newly created realm/tenant. You can find a sample code in this Stack Overflow discussion: Keycloak event listener provider not firing new realm creation event.
Edit : The previous code is a direct change to Keycloak’s code, which is not recommended. Now it’s supported within Keycloak via this commit.
That’s not possible for a reason. While wildcards are in the specification currently still allowed in redirect URIs, it’s not recommended to use them. Also, the next version of OAuth spec (2.1) won’t support wildards any more.
Please don’t link to resources which mention the modification of built-in / internal classes. This way you get a hard dependency on Keycloak versions/implementations and in worst case, people are no more able to upgrade in a convenient way. Overwriting internal classes is highly discouraged, dangerous to break things and SHOULD really NOT be done!
One can use the postInit() method of every provider factory to achieve the behavior to react to realm create events. E.g. one can implement a regular event-listener provider factory for this and just doesn’t implement the provider itself.
I did something similar here in my example, where I react on the RealmModel.PRealmPostCreateEvent:
(in fact, I created a distinct custom interface InitializerProviderFactory for acting upon server startup)