Add Selective Consent for clients #40922
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Francis Augusto Medeiros <register@francisaugusto.com>
Signed-off-by: Francis Augusto Medeiros <register@francisaugusto.com>
7d8cdcc to
f2f7f8a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces the concept of Selective Consent.
The idea is simple:
As of today, Consent requirement is on or off on clients. Either all users must consent to a client or all users won't have that requirement.
However, often Keycloak has different classes of users. A common pattern is the devision of internal and external users. The introduction of Organizations makes this pattern even more obvious.
The consequence of handling different types of users is that the grounds for processing personal data might be different depending on what type of user, or, rather, what type of data subject the user is. If the user is an employee, the grounds of processing personal data might not be based on consent. However, guest users must certainly consent for transferring of personal data to an application.
This PR aims to address the need of requiring consent for transferring of personal data only for some users:
The main idea is that it will be possible to require consent only for users with a given attribute and a given value.
When I first started implementing this, I wanted to add an own tab to handle this, and offering the possibility to configure multiple attributes. I also wanted to add the possibility of requiring consent based on organization. The problem I faced with that approach was the need of creating Set for organizations and Map<String,String> for attributes. Actually, it was done, but working with them on the React code was painful. Besides, it was hard to find out the user membership to an organization based on the user object.
So I dropped that more complete approach in favor of something much simpler: since one can easily add attributes to an organization, just adding a simple attribute per client will probably be sufficient for most use cases.
If, however, there's the need of implementing this with more fine tuned possibilities, like adding organizations and "any or all" multiple attributes, we can discuss the viability of such implementation.