[keycloak-user] Configure granted consents to not persistent

[CS CHONG]

Hi Marek,

Since we want to enforce user to click on consent every time when they login, it's okay to "override default UserProvider". 

Do you know where can I update/override the UserProvider (JpaUserProvider) ? 

Thanks !


Regards,
CS

On 21/5/18, 6:23 PM, "Marek Posolda" <mposolda at redhat.com> wrote:

    Hi,
    
    at this moment it's not available OOTB. There are unsupported ways to 
    workaround this. For example override default UserProvider 
    (JpaUserProvider) and change the consent related CRUD methods to do 
    nothing.
    
    Feel free to create JIRA for this. Maybe we can either:
    - Add flag to client (or clientScope?) whether consent should be persistent.
    - Use some OpenID standard mechanisms. For example consent screen will 
    be always shown if the parameter "prompt=login" is used at the initial 
    OIDC Authentication Endpoint request. The thing is, that users can 
    manually update URL to bypass this, which is likely not good from 
    security perspective. Will it work for you?
    
    Thanks,
    Marek
    
    On 02/05/18 07:25, CS CHONG wrote:
    > Hi,
    >
    > Are we able to force user to confirm consent after every login ?
    >
    > In another words, user will need to confirm consent for a particular client every time when they login.
    >
    >
    > I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
    >
    > I couldn’t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
    >   hints.
    >
    > Regards,
    > CS
    > _______________________________________________
    > keycloak-user mailing list
    > keycloak-user at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-user