[keycloak-dev] Revoking consents and permissions for AccountRestService endpoint
Bruno Oliveira
bruno at abstractj.org
Fri Nov 8 15:40:10 EST 2019
Good afternoon,
For the applications page, in the new account console, we have the
requirement to revoke the consents granted for third-party apps.
We already have an endpoint in the AccountRestService[1] for it:
```
@Path("/applications/{clientId}/consent")
@DELETE
public Response revokeConsent(final @PathParam("clientId") String clientId) {
checkAccountApiEnabled();
auth.requireOneOf(AccountRoles.MANAGE_CONSENT);
....
}
```
That's exactly what we need, although the REST calls will return HTTP
403 because there's no such role as MANAGE_CONSENT for the `account`
client.
I'd like to change the endpoint, so that the `account` client would be
able to revoke consents. Something like:
```
@Path("/applications/{clientId}/consent")
@DELETE
public Response revokeConsent(final @PathParam("clientId") String clientId) {
checkAccountApiEnabled();
auth.requireOneOf(AccountRoles.MANAGE_CONSENT, AccountRoles.MANAGE_ACCOUNT);
```
Does it make sense?
[1] - https://github.com/keycloak/keycloak/blob/041229f9ca393d9bf7a92cabcf1e8b474021fe89/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java#L352
--
- abstractj
More information about the keycloak-dev
mailing list