First Last Prev Next    This bug is not in your last search results.
Bug 57506 - OIDC grant access privileges dialog
OIDC grant access privileges dialog
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-8-errata
Assigned To: Mika Westphal
Christian Castens
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-08-06 14:54 CEST by Felix Botner
Modified: 2024-08-28 15:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2024-08-06 14:54:42 CEST 
After the first login the user is prompted with a "grant access privileges" dialog.

  Do you grant these access privileges?
    User profile
    Email address
    User roles
    Allow access to UDM-REST API and OpenLDAP?
 Yes No

(a) Do we need/want this?

(b) If we want that, we need to update the layout, looks a bit ugly currently (see gitlab issue)
Comment 1 Jan-Luca Kiok univentionstaff 2024-08-06 15:08:45 CEST 
FYI: This prompt is called "End-User Consent/Authorization" and is part of the OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html#Consent

> [...] the Authorization Server MUST obtain an authorization decision before releasing information to the Relying Party. [...] [T]his MAY be done through an interactive dialogue with the End-User [...] or by establishing consent via conditions for processing the request or other means (for example, via previous administrative consent).
Comment 2 Mika Westphal univentionstaff 2024-08-22 13:58:29 CEST 
Keycloak will no longer show the consent screen for the UMC relying party. 

univention-management-console.yaml
d7fd2af6b599 | fix(umc): do not show the OIDC consent screen when the RP is the UMC

univention-management-console (12.0.34-6)
d7fd2af6b599 | fix(umc): do not show the OIDC consent screen when the RP is the UMC
Comment 3 Mika Westphal univentionstaff 2024-08-22 14:30:02 CEST 
5.1-0
univention-management-console (13.0.20)
ecbee4ccd2a4 | fix(umc): do not show the OIDC consent screen when the RP is the UMC

5.2-0
univention-management-console (14.0.27)
372ac6b7057d | fix(umc): do not show the OIDC consent screen when the RP is the UMC
Comment 4 Mika Westphal univentionstaff 2024-08-22 16:33:23 CEST 
The consent screen of Keycloak will be improved with the following Keycloak app release: 25.0.1-ucs2
Commit: b417346fd5eb93875866750756698063e6fe8229 | fix(login-oauth-grant): Fix broken layout
Comment 5 Christian Castens univentionstaff 2024-08-28 10:55:26 CEST 
QA:
  OK: new layout/theme for keycloak consent dialog
  OK: oidc rp is created without consent dialog (consent dialog does not show up anymore)
  OK: tests
  OK: advisories
  OK: 5.2 + 5.0
First Last Prev Next    This bug is not in your last search results.