[keycloak-user] Configure granted consents to not persistent

Marek Posolda mposolda at redhat.com
Mon May 21 06:23:47 EDT 2018


Hi,

at this moment it's not available OOTB. There are unsupported ways to 
workaround this. For example override default UserProvider 
(JpaUserProvider) and change the consent related CRUD methods to do 
nothing.

Feel free to create JIRA for this. Maybe we can either:
- Add flag to client (or clientScope?) whether consent should be persistent.
- Use some OpenID standard mechanisms. For example consent screen will 
be always shown if the parameter "prompt=login" is used at the initial 
OIDC Authentication Endpoint request. The thing is, that users can 
manually update URL to bypass this, which is likely not good from 
security perspective. Will it work for you?

Thanks,
Marek

On 02/05/18 07:25, CS CHONG wrote:
> Hi,
>
> Are we able to force user to confirm consent after every login ?
>
> In another words, user will need to confirm consent for a particular client every time when they login.
>
>
> I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
>
> I couldn’t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
>   hints.
>
> Regards,
> CS
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list