[keycloak-user] Configure granted consents to not persistent
Marek Posolda
mposolda at redhat.com
Tue May 22 02:40:12 EDT 2018
First I suggest to take a look at the "Server Developer" guide and look
at the SPI chapter. Then looking at our "providers" examples and
quickstarts. This should give you some understanding of providers/SPI in
Keycloak. Then you can take a look at the JPA provider itself. It's the
SPI "user" and you will need to create new provider and extend
JpaUserProvider and JpaUserProviderFactory and then configure your
provider in standalone.xml for SPI "user" .
Marek
On 22/05/18 05:42, CS CHONG wrote:
> Hi Marek,
>
> Since we want to enforce user to click on consent every time when they login, it's okay to "override default UserProvider".
>
> Do you know where can I update/override the UserProvider (JpaUserProvider) ?
>
> Thanks !
>
>
> Regards,
> CS
>
> On 21/5/18, 6:23 PM, "Marek Posolda" <mposolda at redhat.com> wrote:
>
> Hi,
>
> at this moment it's not available OOTB. There are unsupported ways to
> workaround this. For example override default UserProvider
> (JpaUserProvider) and change the consent related CRUD methods to do
> nothing.
>
> Feel free to create JIRA for this. Maybe we can either:
> - Add flag to client (or clientScope?) whether consent should be persistent.
> - Use some OpenID standard mechanisms. For example consent screen will
> be always shown if the parameter "prompt=login" is used at the initial
> OIDC Authentication Endpoint request. The thing is, that users can
> manually update URL to bypass this, which is likely not good from
> security perspective. Will it work for you?
>
> Thanks,
> Marek
>
> On 02/05/18 07:25, CS CHONG wrote:
> > Hi,
> >
> > Are we able to force user to confirm consent after every login ?
> >
> > In another words, user will need to confirm consent for a particular client every time when they login.
> >
> >
> > I understand that Keycloak has introduced "Persistent grants” in released 1.2.0.CR1 <https://blog.keycloak.org/2015/05/persistent-grants-in-keycloak.html>, which user doesn't need to confirm consent for particular client more times.
> >
> > I couldn’t found any similar solutions from KC documentation, or KC forum. I would greatly appreciate it if you kindly give me some
> > hints.
> >
> > Regards,
> > CS
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
More information about the keycloak-user
mailing list