Consent and Claims

User Consent and Claims

Consent is the act of letting the user participate in deciding what data to share with a third party. This article describes how consent relates to claims.

Asking for Consent

When a user gives consent, the user is consenting to the release of user related data.

In the context of claims architecture, these data are the claims that will be issued to the client. Since claims can contain sensitive information such as an email address or account number, it is important to let the user know what is being shared with a third party.

Consent and Claims

The consent screen presented to the user contains all the Claim Names with corresponding descriptions for each claim.

In the Curity Identity Server it is possible to configure the consent to allow deselects for each claim. Since the application may ask for data that the user isn't willing to release, it is important that the user be able to use the application to release only some of the data requested.

If deselection isn't possible to manage in the Client, the Client can be configured to not allow deselection. This will provide the user with the option of releasing all or nothing, essentially aborting the authorization.

Resulting Claims

Following consent, the ID Token and Access Tokens will contain the claims that the user consented to. claims are mapped, some will be present in the ID Token and others in other tokens.

The Curity Identity Server will also, in addition to the specification, let the Client know what claim names were issued with the "claims" response parameter in the Token Response or in the Authorization Response, depending on flow.

Conclusion

Consent is a powerful and important way for Third Party Clients to inform the user about data that is being shared. The Client needs to be robustly built in order to handle cases where the user doesn't consent to the release of certain claims.