A bare Keycloak instance is not GDPR compliant

[Réda Housni Alaoui]

Hi everyone,

I'd like to highlight a problematic that should concern any Keycloak collecting european user data. Keycloak does not allow to collect the consent of a user before processing its registration. A feature request has been open at https://issues.redhat.com/browse/KEYCLOAK-15244 on August 2020. But nothing has happened since.

It looks like it is not a priority of the Keycloak team. I am willing to craft a pull request based on a minimal guidance from the team.

Should the mechanism be based on the current "Terms and condition" feature? Or should it be a totally separate feature? Can I have some advice for the UX part?

Best regards

[Thomas Darimont]

Hello,

This could be added via a custom registration FormAction and a small register.ftl template adjustment, you can find and example for this here:
https://github.com/thomasdarimont/keycloak-extension-playground/tree/master/auth-custom-registration-create-user

I think it would make sense to make `org.keycloak.authentication.forms.RegistrationUserCreation` configurable to support an accept terms checkbox in the standard `register.ftl` template.

Cheers,
Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/90bbc680-a688-4fdd-8092-6371ce235e67n%40googlegroups.com.

[Réda Housni Alaoui]

Thank you Thomas. Your sample has been very helpful.

I opened https://github.com/keycloak/keycloak/pull/7938  to implement this feature.