[keycloak-dev] Revoking consents and permissions for AccountRestService endpoint
Stian Thorgersen
sthorger at redhat.com
Mon Nov 11 03:01:22 EST 2019
Yes, MANAGE_ACCOUNT should be able to do everything, including manage
consent.
On Fri, 8 Nov 2019 at 21:44, Bruno Oliveira <bruno at abstractj.org> wrote:
> Good afternoon,
>
> For the applications page, in the new account console, we have the
> requirement to revoke the consents granted for third-party apps.
>
> We already have an endpoint in the AccountRestService[1] for it:
> ```
> @Path("/applications/{clientId}/consent")
> @DELETE
> public Response revokeConsent(final @PathParam("clientId") String
> clientId) {
> checkAccountApiEnabled();
> auth.requireOneOf(AccountRoles.MANAGE_CONSENT);
> ....
> }
> ```
>
> That's exactly what we need, although the REST calls will return HTTP
> 403 because there's no such role as MANAGE_CONSENT for the `account`
> client.
>
> I'd like to change the endpoint, so that the `account` client would be
> able to revoke consents. Something like:
> ```
> @Path("/applications/{clientId}/consent")
> @DELETE
> public Response revokeConsent(final @PathParam("clientId") String
> clientId) {
> checkAccountApiEnabled();
> auth.requireOneOf(AccountRoles.MANAGE_CONSENT,
> AccountRoles.MANAGE_ACCOUNT);
> ```
>
> Does it make sense?
>
> [1] -
> https://github.com/keycloak/keycloak/blob/041229f9ca393d9bf7a92cabcf1e8b474021fe89/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java#L352
>
> --
> - abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list