Support AUP on-demand renewal

[NicolasLiampotis]

Realm administrator should be able to update the current Acceptable Use Policy (AUP or Terms & Conditions).

• New users should be required to accept the AUP during registration (first login)
• Existing users who have already agreed to a previous version of the AUP should be required to accept the new AUP the next time they login

[laskasn]

The first bullet point is currently provided out-of-the-box by keycloak. The second bullet point is a little bit tricky to implement. It requires to have versioning for the Terms & Conditions, yet the current design has no such thing. The login flow just loads a static ftl file (which is translated into html) for the UserRequiredAction of "terms_and_conditions". To modify the Terms and conditions, someone should just replace/modify the ftl file within the theme and maybe add some more css, js and icons (or make another theme with the equivalent files). A possible "hack" would be to introduce incremental version numbers for the UserRequiredActions, along with a hash of the flt contents. But it's still quite unclear to me how i can introduce this feature, changing as few as possible things in keycloak. I'll post an update with a description of changes needed to support the above idea.

[laskasn]

It's really difficult to automatically determine if the Terms and conditions have changed (terms.ftl), because this ftl file might (already) include another ftl on which the changes apply. So it's impossible just by observing the terms.ftl to know. What i suggest is that we should rather enable the admin to batch reset the process for all existing users, by adding a button and the appropriate logic on the server side. The good thing is that the keycloak utilises 2 tables for the Terms and Conditions.

• The first one is the table "user_required_action" , which has 2 fields: user_id and required_action. If the admin has set for the "Terms and conditions", the flags of "enabled" and "default" to true, then whenever a new to keycloak user logs in, an entry is added on the table i.e. (userId, 'terms_and_conditions') to denote that there is a "terms_and_conditions" acceptance pending for the user. If user accepts the terms_and_conditions, the corresponding entry is deleted.
• the second table is the "user_attribute", which is used after a user accepts the terms&conditions by adding an entry ('terms_and_conditions', userid, acceptance timestamp, id). I tried to manually enter an entry on the "user_required_action" table to force an existing user to re-accept the terms&conditions, and i saw that it overwrites the entry, instead of adding a second one (the table's schema allows more than one entry - no key/unique restriction).

Sensing a change on the terms.ftl file or even more on any included/linked to that files is really hard to do, BUT, manually an admin could reset the values on the table 'user_required_action' to ask all existing users to re-accept his new terms and conditions.

@NicolasLiampotis Please, let me know if the last sentence fulfils our needs. If so, we should open a discussion with keycloak's team to see how we can implement that and get it into the future releases.

[NicolasLiampotis]

Issue description for PR: https://docs.google.com/document/d/1j356lTlNwETiGN-Nwv2urIjsPp9CtZXWDQ4F_ZFgJ8E/edit

[laskasn]

Keycloak issue tracker ticket: https://issues.redhat.com/browse/KEYCLOAK-17379