Hi everybody (and probably especially Stan and Stian),
In some of our projects we want to make heavy use of Keycloaks ability to obtain user
consent to third parties to access user data in our APIs.
In one project, the third parties provide modules that plug into our app and the user
should give his consent for this plugin at plugin installation time.
We plan to have one client for every plugin so the user can for every plugin decide which
scope of backend API access it wants to grant to the plugin.
I would be cool if asking for consent would be possible from the app in its UI at the
point when the user installs the plugin.
To do that, we would like to extend the account REST Api that’s currently in preview state
a) covers the “applications” functionality (this is currently a TODO)
b) allows to create consents using the REST Api. I am well aware there might be
security implications here for clients that are essentially public, e.g. a rogue app could
manage consents of a user if he does not pay attention.
c) use a finer-grained role model for the accounts service, e.g. at least splitting up
view-account into view-profile+view-consents and manage-account into
manage-profile+manage-consents so we can control which clients may invoke the consents
functionality or we can prevent changing profile attributes
that come from an external IDP in our case.
What do you think about these changes/additions? Do they make sense? If yes, we would like
to contribute them.
Thanks and best regards,
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Open Source Services (INST-CSS/BSV-OS2)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber,
Michael Hahn, Dr. Aleksandar Mitrovic