Following the lead of the docs assume we’re implementing a bank where users have Bank Account resources.
When our external partner, the “Cool Financial Services” client wants access to the user’s bank accounts, we need the user to somehow decide which bank account he or she would like to Consent to give “Cool Financial Services” access to. The ideal place would be the consent screen. Something like this:
(Here I’ve added the HTML for the resource list with checkboxes manually - no working code)
How can this be achieved with Keycloak? Is HTML GUI for asking the user which resources to grant per client inside or outside the scope of Keycloak?
Reading the docs, it seems that when the “Cool Financial Services” client performs the Authorization Code Flow the user will be shown a Consent page (without the resource) listing the scopes mentioned in the initial request and access and refresh tokens are granted. Resources do not enter into it yet at this point.
Somehow magically the resources, policies and permissions are supposed to be configured and then when “Cool Financial Services” is tries to access Alice’s “Bank Account A” the client that owns the resources can query Keycloak about whether that is allowed.
We’re thinking asking the user which resources to consent to give access to per client must be a very common use case but:
How is this intended to be done? Which approach will give the least headaches?
hello @pmorch, did you find something useful? I’m trying to achieve the same in here.
Yeah, actually we did somewhat. We haven’t done it yet, but we’ll be implementing our own “Required Action” for this e.g. called “Select Accounts” by modifying e.g. “Terms and Conditions”.
The “Select Accounts” will then be a separate page from the Consents screen, but that is OK for us.
We then have to decide where to store the result:
- In the backend
- In the token
- In keycloak, making use of Authorization Services.
We’re not really sure where we’ll land with this eventually, but we have a path forward. 1 has the pro that it is super-simple, but the info won’t be available to any other clients, 2 has the pro that it is super-simple, but will only live in the token, and is subject to token expiry, and 3 has the pro that this is how keycloak is intended to be used ( I think ), but it requires a round trip to the Keycloak server.
Hope this helps.
Hi @pmorch, is your extension available for community?
We’re now developing pretty same feature for our open source project, and would appreciate some experience sharing.
We’re making an abstract plugin able to manage consents for payments/account accessing through external second factor services with ability to pick preferred one in Keycloak UI. And we’re stuck with passing consentId/redirectId to Keycloak login form so we would have possibility to access them later on to display confirmation objects in our OTP plugin confirmation as we have a CMS of our own. Would appreciate any experience sharing.
I’m now facing the same problem as yours. Could you figure it out for your project ?