[keycloak-user] User can't revoke grants for a client without role in Account app

GRMAN, Tomas Tomas.GRMAN at orange.com
Wed Nov 16 02:40:15 EST 2016


Hello,
Suppose we have a client defined with a scope = e.g. 1 role, requiring consent and a user with that role. Assume we don't want to provision users with this role (required implementation on the client side), we have to use a default realm role. The Account application then shows the client in the application screen, without the user giving any consent. Which is btw. perfectly understandable, as in this situation the screen shows only a information about available permissions. This would be quite OK, however with possibly several hundreds of clients, this table would get messy.

Another possibility is to have a client without any scopes defined (full scope is disabled) requiring consent too. If a user accepts the consent, no information is displayed in the application screen of the Account application, and as such the user is unable to revoke the grant.

We'd prefer to show only clients with accepted consents in the application screen, however I'm not sure whether the second possibility mentioned is a bug or feature. Shouldn't it be possible to revoke a grant although no scope (role) is defined?
Any help appreciated.

Tomas



More information about the keycloak-user mailing list