[keycloak-user] Configure granted consents to not persistent
Marek Posolda
mposolda at redhat.com
Mon May 21 06:23:47 EDT 2018
Hi,
at this moment it's not available OOTB. There are unsupported ways to
workaround this. For example override default UserProvider
(JpaUserProvider) and change the consent related CRUD methods to do
nothing.
Feel free to create JIRA for this. Maybe we can either:
- Add flag to client (or clientScope?) whether consent should be persistent.
- Use some OpenID standard mechanisms. For example consent screen will
be always shown if the parameter "prompt=login" is used at the initial
OIDC Authentication Endpoint request. The thing is, that users can
manually update URL to bypass this, which is likely not good from
security perspective. Will it work for you?
Thanks,
Marek
On 02/05/18 07:25, CS CHONG wrote:
> Hi,
>
> Are we able to force user to confirm consent after every login ?
>
> In another words, user will need to confirm consent for a particular client every time when they login.
>
>
> I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
>
> I couldn’t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
> hints.
>
> Regards,
> CS
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list