Details
-
Task
-
Status: Closed
-
Minor
-
Resolution: Done
-
None
-
None
Description
Based on the idea of my colleague https://lists.jboss.org/pipermail/keycloak-dev/2019-May/012085.html we propose to modify the consent for a specific application on behalf of the user via the account REST API.
For our first draft we propose:
in the account controller https://github.com/keycloak/keycloak/blob/fdc0943a92f75cd55192b40931255f480bdf1133/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java
there will be new endpoints:
- /applications/ GET
- returns a list of all available applications
- /applications/<id> GET
- returns the application with the given id
- /applications/<id>/consent GET
- returns the list of scopes granted for the application wit the given id
- /applications/<id>/consent POST
- creates a new consent for the application with the given id. expects a list of scopes
- /applications/<id>/consent PUT
- updates the consent for the application with the given id. expects a list of scopes
- /applications/<id>/consent DELETE
- deletes the consent for the application with the given id.
Besides the new endpoints there will be new roles on the account client.
- view-applications
- basic read access to query applications
- view-consent
- composite role consisting of the view-applications role, grants read access to consents
- manage-consent
- composite roles consisting of the view-consent role, grants write access to consents