Consent and Claims

Consent and Claims

architect

The relationship between Consent and Claims

Introduction

Consent is the act of letting the user participate in the decision of what data is shared with a third party. This article describes how consent relates to claims.


The meaning of consent is that a user is consenting to the release of user related data.

When working with a claims architecture, this data is the claims that will be issued to the client. Since claims can contain sensitive information such as an email address or account number, it's important to let the user know what is being shared with the third party.

Third parties

Consent is normally not used when the Client and the OpenID Connect Provider belong to the same organization. Then the user is often considered to have implicitly consented to the information being used. It is more common when the Client is a Third Party.

The consent screen presented to the user contains all the Claim Names with corresponding descriptions for each claim.

Consent

In Curity it's possible to configure the consent to allow deselects for each claim. This is very powerful since the application may ask for data that the user isn't willing to release, but can accept to use the application with limited functionality by releasing some data.

User deselection

If the user deselects claims during consent these will not be provided to the Client. The client should be robust enough to handle such scenarios.

If deselection isn't possible to manage in the Client, it can be configured to not allow deselection. This will provide the user with the option of releasing all or nothing, essentially aborting the authorization.

Resulting Claims

After consent the ID Token and Access Tokens will contain the claims that the user consented to. Depending on how the claims are mapped some will be present in the ID Token and others in the other tokens.

Curity will also, in addition to the specification, let the Client know what claim names were issued with the "claims" response parameter in the Token Response or the Authorization Response depending on flow.


Conclusion

Consent is powerful and important when dealing with Third Party Clients to inform the user of data that is being shared. The client needs to be robustly built, to handle cases where the user doesn't consent to the release of certain claims.

Was this page helpful?