[keycloak-user] Role required to manage user consents from REST API

[Paul Grebenc]

I have been doing some investigation with Keycloak 3.4.3.Final, and have
noticed something that I am wondering about.

It is possible for me to request an offline token for a given user with a
password grant, and that consent will show up for the user under the user's
Consents tab in the admin console.

In terms of managing any granted consents (for the purpose of allowing a
user to revoke a consent that they have granted), I have been able to do
the following:

curl -X GET -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
<http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents>


This returns all current consents granted by the user.  I can then also do
the following:


curl -X DELETE -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents/<clientId>
<http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents/agent-registration>


This revokes the consent granted by the specified user for the specified
client.


This is good so far, but I noticed that I was only authorized to perform
these operations as admin, and not as the user in question who has granted
these consents.  Through experimentation, I was able to determine that if I
add the role "admin" to the user, that user is then authorized for these
operations.


Is this intentional?  It was originally my expectation that a user who has
granted consents should be able to view or revoke their own consents
without having to have the admin role assigned.


Also, looking through the REST API documentation, I didn't see anything
related to roles and authorization.  Are all operations only accessible by
users with the admin role assigned?


Regards,

Paul