Consent and Claims

Consent and Claims

architect

The relationship between Consent and Claims

Introduction

Consent is the act of letting the user participate in deciding what data to share with a third party. This article describes how consent relates to claims.


When a user gives consent, the user is consenting to the release of user related data.

In the context of claims architecture, these data are the claims that will be issued to the client. Since claims can contain sensitive information such as an email address or account number, it is important to let the user know what is being shared with a third party.

Third parties

Consent is normally not used when the Client and the OpenID Connect Provider belong to the same organization. In that case, the user is often considered to have implicitly consented to the use of the information in question. Consent is more commonly involved when the Client is a Third Party.

The consent screen presented to the user contains all the Claim Names with corresponding descriptions for each claim.

Consent

In the Curity Identity Server it is possible to configure the consent to allow deselects for each claim. Since the application may ask for data that the user isn't willing to release, it is important that the user be able to use the application to release only some of the data requested.

User deselection

If the user deselects claims during consent, these will not be provided to the Client. The Client should be robust enough to handle such scenarios.

If deselection isn't possible to manage in the Client, the Client can be configured to not allow deselection. This will provide the user with the option of releasing all or nothing, essentially aborting the authorization.

Resulting Claims

Following consent, the ID Token and Access Tokens will contain the claims that the user consented to. Depending on how the claims are mapped, some will be present in the ID Token and others in other tokens.

The Curity Identity Server will also, in addition to the specification, let the Client know what claim names were issued with the "claims" response parameter in the Token Response or in the Authorization Response, depending on flow.


Conclusion

Consent is a powerful and important way for Third Party Clients to inform the user about data that is being shared. The Client needs to be robustly built in order to handle cases where the user doesn't consent to the release of certain claims.

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Was this page helpful?