12:25 a.m.
Hi,
Are we able to force user to confirm consent after every login ?
In another words, user will need to confirm consent for a particular client every time
when they login.
I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1
<https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>;, which user
doesn't need to confirm consent for particular client more times.
I couldn’t found any similar solutions from KC documentation, or KC forum. I would greatly
appreciate it if you kindly give me some
hints.
Regards,
CS
5:23 a.m.
Hi,
at this moment it's not available OOTB. There are unsupported ways to
workaround this. For example override default UserProvider
(JpaUserProvider) and change the consent related CRUD methods to do
nothing.
Feel free to create JIRA for this. Maybe we can either:
- Add flag to client (or clientScope?) whether consent should be persistent.
- Use some OpenID standard mechanisms. For example consent screen will
be always shown if the parameter "prompt=login" is used at the initial
OIDC Authentication Endpoint request. The thing is, that users can
manually update URL to bypass this, which is likely not good from
security perspective. Will it work for you?
Thanks,
Marek
On 02/05/18 07:25, CS CHONG wrote:
Hi,
Are we able to force user to confirm consent after every login ?
In another words, user will need to confirm consent for a particular client every time
when they login.
I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1
<https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>;, which user
doesn't need to confirm consent for particular client more times.
I couldn’t found any similar solutions from KC documentation, or KC forum. I would
greatly appreciate it if you kindly give me some
hints.
Regards,
CS
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:42 p.m.
Hi Marek,
Since we want to enforce user to click on consent every time when they login, it's
okay to "override default UserProvider".
Do you know where can I update/override the UserProvider (JpaUserProvider) ?
Thanks !
Regards,
CS
On 21/5/18, 6:23 PM, "Marek Posolda" <mposolda(a)redhat.com> wrote:
Hi,
at this moment it's not available OOTB. There are unsupported ways to
workaround this. For example override default UserProvider
(JpaUserProvider) and change the consent related CRUD methods to do
nothing.
Feel free to create JIRA for this. Maybe we can either:
- Add flag to client (or clientScope?) whether consent should be persistent.
- Use some OpenID standard mechanisms. For example consent screen will
be always shown if the parameter "prompt=login" is used at the initial
OIDC Authentication Endpoint request. The thing is, that users can
manually update URL to bypass this, which is likely not good from
security perspective. Will it work for you?
Thanks,
Marek
On 02/05/18 07:25, CS CHONG wrote:
Hi,
Are we able to force user to confirm consent after every login ?
In another words, user will need to confirm consent for a particular client every time
when they login.
I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1
<https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>;, which user
doesn't need to confirm consent for particular client more times.
I couldn’t found any similar solutions from KC documentation, or KC forum. I would
greatly appreciate it if you kindly give me some
hints.
Regards,
CS
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:40 a.m.
First I suggest to take a look at the "Server Developer" guide and look
at the SPI chapter. Then looking at our "providers" examples and
quickstarts. This should give you some understanding of providers/SPI in
Keycloak. Then you can take a look at the JPA provider itself. It's the
SPI "user" and you will need to create new provider and extend
JpaUserProvider and JpaUserProviderFactory and then configure your
provider in standalone.xml for SPI "user" .
Marek
On 22/05/18 05:42, CS CHONG wrote:
Hi Marek,
Since we want to enforce user to click on consent every time when they login, it's
okay to "override default UserProvider".
Do you know where can I update/override the UserProvider (JpaUserProvider) ?
Thanks !
Regards,
CS
On 21/5/18, 6:23 PM, "Marek Posolda" <mposolda(a)redhat.com> wrote:
Hi,
at this moment it's not available OOTB. There are unsupported ways to
workaround this. For example override default UserProvider
(JpaUserProvider) and change the consent related CRUD methods to do
nothing.
Feel free to create JIRA for this. Maybe we can either:
- Add flag to client (or clientScope?) whether consent should be persistent.
- Use some OpenID standard mechanisms. For example consent screen will
be always shown if the parameter "prompt=login" is used at the initial
OIDC Authentication Endpoint request. The thing is, that users can
manually update URL to bypass this, which is likely not good from
security perspective. Will it work for you?
Thanks,
Marek
On 02/05/18 07:25, CS CHONG wrote:
> Hi,
>
> Are we able to force user to confirm consent after every login ?
>
> In another words, user will need to confirm consent for a particular client
every time when they login.
>
>
> I understand that Keycloak has introduced "Persistent grants” in released
1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>;,
which user doesn't need to confirm consent for particular client more times.
>
> I couldn’t found any similar solutions from KC documentation, or KC forum. I
would greatly appreciate it if you kindly give me some
> hints.
>
> Regards,
> CS
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2425
days inactive
2445
days old
3 comments
2 participants
participants (2)
-
CS CHONG -
Marek Posolda