User consent and claims during the authorization process.

Consent and Claims

On this page

User Consent and Claims

Consent is the act of letting the user participate in deciding what data to share with a third party. This article describes how consent relates to claims.


Asking for Consent

When a user gives consent, the user is consenting to the release of user related data.

In the context of claims architecture, these data are the claims that will be issued to the client. Since claims can contain sensitive information such as an email address or account number, it is important to let the user know what is being shared with a third party.

Third parties

Consent is normally not used when the Client and the OpenID Connect Provider belong to the same organization. In that case, the user is often considered to have implicitly consented to the use of the information in question. Consent is more commonly involved when the Client is a Third Party.

Consent and Claims

The consent screen presented to the user contains all the Claim Names with corresponding descriptions for each claim.

Configuring consent by the Curity Identity Server

In the Curity Identity Server it is possible to configure the consent to allow deselects for each claim. Since the application may ask for data that the user isn't willing to release, it is important that the user be able to use the application to release only some of the data requested.

User deselection

If the user deselects claims during consent, these will not be provided to the Client. The Client should be robust enough to handle such scenarios.

If deselection isn't possible to manage in the Client, the Client can be configured to not allow deselection. This will provide the user with the option of releasing all or nothing, essentially aborting the authorization.

Resulting Claims

Following consent, the ID Token and Access Tokens will contain the claims that the user consented to. claims are mapped, some will be present in the ID Token and others in other tokens.

The Curity Identity Server will also, in addition to the specification, let the Client know what claim names were issued with the "claims" response parameter in the Token Response or in the Authorization Response, depending on flow.


Conclusion

Consent is a powerful and important way for Third Party Clients to inform the user about data that is being shared. The Client needs to be robustly built in order to handle cases where the user doesn't consent to the release of certain claims.

Photo of Jacob Ideskog

Jacob Ideskog

Identity Specialist and CTO at Curity

Join our Newsletter

Get the latest on identity management, API Security and authentication straight to your inbox.

Start Free Trial

Try the Curity Identity Server for Free. Get up and running in 10 minutes.

Start Free Trial