We Keep Coding

Can I whitelist all domains for Keycloak in the development environment?

Let's say we have a lot of projects. Project1, Project2, etc. and let's say their local development domains are example1.local and example2.local, etc.
Now we have set up a Keycloak instance of our development machine, with a Development realm inside it, with an AdminPanel client in that realm, and we want to use it for all of our projects.
We can manually add https://example1.local/* and https://example2.local/* etc. to valid redirect URLs and web origins.
But this means that we need to add each and every project we have and we do many many projects per year.
We tried https://* but it did not let us login complaining about invalid redirect_uri.
Is it possible to whitelist every domain for Keycloak?

You should be able to do that. I suggest to check your configuration again. Something like this works perfectly for my scenario which is the same as yours. The only difference is that I created a dedicated client for my applications, but still it's single client for many dev environments:
Valid Redirect URIs: https://* or https://*.local
Web Origin: *
Don't put anything extra for Web Origin. Just the * but this is only needed for example if you want to use a swagger-ui hosted on somewhere else. It allows swagger from any domain ask for token from the Keycloak. If you don't put the *, due to CORS error, the swagger-ui or any tools like that would not be able to fetch token.
It's a minor thing, but worth mentioning that you put https:// in the config, so the client app should also be accessed using https. If someone type http by mistake, the same error would be returned.

We tried https://* but it did not let us login complaining about
invalid redirect_uri.
Unless you are working in a testing environment, or you want to get hacked, DO NOT DO THIS in a production environment. From OAuth 2.0 Security Best Current Practice you read an explanation of a an exploit based on this misconfiguration.
Therefore, you should make your registered redirect URIs as specific as feasible, and simply using a wildcard in a big no-no.
But this means that we need to add each and every project we have and
we do many many projects per year.
Wouldn't it be possible to automatize this via scripts or so? Get the project names and then call the Keycloak Admin API to add those redirectURIs to the client?!

How to use Facebook for Developers share button using localhost

I'm trying to have a Facebook share button which shares the link of the current page. I am using localhost and Facebook is unable to reach my website since I'm using localhost (xampp). Is there any way to get around this? I have seen people mention about using tunnelme, but I don't see a tutorial on how to do it. Any guidance would be appreciated.

My technique to deal with this kind of issue is define some fake domain in /etc/hosts (Linux o MacOS) or C:\Windows\System32\drivers\etc\hosts in Windows.
something like:
127.0.0.1 customdomain.liquidtabs
(Do not use .devel because now is a valid TLD and cause some collisions).
In the last time, I'm using a local DNS server (like dnsmasq) to define multiple custom local fake domains.
Finally, in your Facebook app configuration, you must add your fake domain as an allowed domain to access the API.
In the last time, Google Developers Console requires a valid domain (for example, finished in .com, like mycustomfakedomain.com). I do not remember if Facebook too.
In this case, you must define a "valid" domain and override it in the hosts file. Like:
127.0.0.1 customdomain.local.liquidtabs.com
Now, run your website using your fake domain. You should now be able to access Facebook from the library (or Google or any other domain-restricted library) from "localhost".

Using localhost to test Facebook canvas app

I want to create and test an app initially from localhost (were I run Ruby on Rails or Glassfish). I have read many postings about how to do this and NONE work. I have tried all the solutions discussed on stackoverflow and other sites.
Does anyone have a current method that does work (2015)?
Following did not work
1) in Canvas URL http://localhost:3000/users/index/ with and without localhost as domains
2) Tried editing the Advanced tab to add redirect URL to same URL.
What happens is I get a blank screen (I have even tried really simple hello world type apps that run locally so it should work with facebook).
Thank you,
Lynne

you have to configure secure canvas URL for canvas apps . it is mandatory and it has to be a https URL.

edit: This is actually a lot easier than I thought. I found this python script that creates a local https server. The only issue was that facebook is sending a POST request on the canvas page, and this server doesn't support POST requests, so I modified it a bit and now it handles the facebook canvas page correctly.
You don't need a domain, and in the script it tells you how to generate the self signed certificate. In the facebook app settings you can set https://localhost:4443/ as canvas url.
old post:
It is possible but it's a bit of a hassle. You can set a dns to 127.0.0.1 and use that. So if you own example.com, you can create an A DNS record for localhost.example.com and set it to 127.0.0.1.
The difficult part is that you have to find some way to create a certificate for this domain. If you want an official cert, the easiest option out there is Let's Encrypt. Verification of your domain through an https server is going to be difficult, since the Let's Encrypt servers will try to contact 127.0.0.1. So you're probably better of using DNS challenge validation. Another option would be a self signed certificate, which is a whole different story.
The last step is to find a server that can host https and use the certificates you generated.

Facebook Connect on multiple domains with centralized login

we are looking into implementing Facebook Connect on our wiki service, http://www.wikidot.com. User-created sites span the *.wikidot.com domain, but also custom domains (like mine http://michalf.me), all handled by our single service.
We have a centralized account system. Users always log in (and create accounts) at www.wikidot.com and they are automatically logged in in all subdomains (cookie domain set to .wikidot.com - easy) and custom domains (automatically, via a series of redirects).
We would like to add FC into our login flow. Now, it would be great to get some clarification about FC Terms, which suggests using one App ID for every domain. In our case however user-created sites are not separate applications.
So, is it OK to use FC on one centralized website where our users log in (on www.wikidot.com) and expand user status on other domains connected to our service? This is how it works right now, without FC.
It would be great if we could get clarification from someone from FB to make sure we will not be violating any terms or policies.
Thanks!

It isn't possible (as far as I know anyway) to use the same app ID on multiple domains. FB allows use across subdomains, but I have found some difficultly with this even at times with the cookies. When you set up an app, you are asked to provide the domain for it. The domain you put here is the only domain that your app will work for. If your users are only ever signing in on wikidot.com, then I suppose you can use what you have already to move those sessions onto the other domains, but once you are on the other domain, you won't be able to use any of the facebook api features; any requests you make will fail.
I think the 'one app id for every domain' condition is more to target people who are trying to use multiple app ids for one domain. I think so long as you aren't transferring any data about the user to different domains/adverts etc, you should be ok. Essentially what you are doing is adding FB connect to your wikidot site, then a separate feature of wikidot is to keep you logged in on other partner sites?

Getting RPXNow and Facebook Open Graph to Play Nicely

A requirement to use the RPXNow is to set your Facebook application's connect url to http://mydomain.rpxnow.com.
I was just trying to implement Facebook's Open Graph and I see that it tells you to set the Base Domain to the domain that will contain the app_id.
However, Facebook does not allow these two domains to look different. When I try to set the base url to mydomain.com, I get this error:
Validation failed.
Base Domain is not valid. Connect URL must be derived from your Base Domain.
Should I create two apps - one for use with RPXNow, and another for use with Open Graph? If not, what should I do?
Thanks

The Facebook page regarding Base Domains you linked to states the following:
Facebook Connect stores user credentials in cookies on your application's domain. By default, a cookie set on chicago.citysearch.com would not be readable on sanfrancisco.citysearch.com - the browser treats them as separate domains. If the base domain is set, then Facebook will intentionally set the cookies on the base domain, thus making the cookies readable across multiple subdomains. This allows you to share one authentication session across multiple subdomains.
Note: There is no way to share a cookie across multiple domains. So, for example, if you have a site cnet.com and news.com, then there is no way to make the browser send the same cookies to both those domains. Each of these would require separate API key and separate authentication.
Since your domain and rpxnow.com are different base domains, it seems like you'd need a custom realm (eg. login.yourdomain.com), which is offered from RPXNow at additional cost. You'd probably have to upgrade to "Pro" account (~$95/mo+ ?) or contact RPXNow / Janrain directly and ask them your options.