Consent and Claims
The relationship between Consent and Claims
Consent is the act of letting the user participate in the decision of what data is shared with a third party. This article describes how consent relates to claims.
Asking for Consent¶
The meaning of consent is that a user is consenting to the release of user related data.
When working with a claims architecture, this data is the claims that will be issued to the client. Since claims can contain sensitive information such as an email address or account number, it's important to let the user know what is being shared with the third party.
Consent is normally not used when the Client and the OpenID Connect Provider belong to the same organization. Then the user is often considered to have implicitly consented to the information being used. It is more common when the Client is a Third Party.
Consent and Claims¶
The consent screen presented to the user contains all the Claim Names with corresponding descriptions for each claim.
In Curity it's possible to configure the consent to allow deselects for each claim. This is very powerful since the application may ask for data that the user isn't willing to release, but can accept to use the application with limited functionality by releasing some data.
If the user deselects claims during consent these will not be provided to the Client. The client should be robust enough to handle such scenarios.
If deselection isn't possible to manage in the Client, it can be configured to not allow deselection. This will provide the user with the option of releasing all or nothing, essentially aborting the authorization.
After consent the ID Token and Access Tokens will contain the claims that the user consented to. Depending on how the claims are mapped some will be present in the ID Token and others in the other tokens.
Curity will also, in addition to the specification, let the Client know what claim names were issued with the "claims" response parameter in the Token Response or the Authorization Response depending on flow.
Consent is powerful and important when dealing with Third Party Clients to inform the user of data that is being shared. The client needs to be robustly built, to handle cases where the user doesn't consent to the release of certain claims.