Wednesday, 6 May 2015

Persistent grants in Keycloak

In Keycloak versions before 1.2.0.CR1, we had two separate entities representing client applications. These were Applications, which didn't require consent from user after authentication and OAuth Clients, where the consent was always required.

In Keycloak 1.2.0.CR1 we simplified this and we merged both Applications and OAuth clients to single Client entity, which has on/off configuration switch in Keycloak admin console specifying if consent should be required or not.

When consent is not required from the user, then after user authenticates, the client application will automatically receive access token with all the personal info and permissions of the user. However if consent is required, Keycloak will display consent screen where user needs to confirm all the permissions required by particular Client.

From this release, the granted consents are persistent. This means that user doesn't need to confirm consent for particular client more times. Also each user has possibility to see all the available Client applications in Keycloak Account management and see:

  • Permissions he has for particular application
  • Granted personal info to particular application
  • Granted permissions for particular application

He can also revoke previously granted consent, so next time he authenticates to the application, the consent screen will be shown again.

Also it's possible to view and manage consents from Keycloak admin console. Admin can see the available consents for every user and he can revoke them.