OIDC consent

❗️

This is an early access feature. Please get in touch with your administrator to enable this feature.

In OpenID Connect, the authorization server can optionally prompt the user to consent to the authorization request sent by the relying party. When the user gives consent, the user is consenting to release data to the RP.
In the context of OpenID Connect, the data corresponds to the claims that the relying party requests on the authorization request.

Since the claims contain sensitive data such as email addresses or phone numbers, it is crucial to get the user's consent before sharing the data with the RP.

Consent can also be requested for the scopes corresponding to the APIs.

How does it work?

11981198

In this example, the bank uses CyberArk Identity as its IDP and authorization server. A user who regularly uses the bank tries to file his tax using Tax eFile.

The bank admin configures the scopes on the admin portal as below:

10521052

The admin sets the custom claims "Location" and "Address" as below:

10451045

Admin should enable the consent as below:

889889
  • The user navigates to Tax eFile and tries to log in.
    • Tax eFile sends an authorization request to CyberArk Identity with the required scopes such as Transactions, Location, Investments, and Address.
GET {tenant_url}/OAuth2/Authorize/{application_id}?response_type={response_type}&client_id={client_id}&redirect_uri={redirect_uri}&scope=openid Location Address Transactions Investments&state={state}

Note: Transactions and Investments are API scopes used to access the related Acme APIs. Whereas location and address are the scopes for custom claims to get the user's location and address details.

  • CyberArk Identity prompts the user to log in as the user is not authenticated.
  • Once the user is successfully authenticated, Identity prompts the user to consent to the scopes, Transactions, Location, Investments, and Address.
  • User consents to only Transactions and Address scopes and denies consent to Investments and location.
    Identity sends an authorization code to SuperTax.

Note: In CyberArk Identity, the consent screen presented to the user contains the scope names.

777777

📘

The selection of scopes by the user is optional. The admin can disable "Allow scope selection" on the admin portal configuration to disable the scope selection.

  • SuperTax exchanges the authorization code to get access tokens and ID tokens.
  • As the user has not consented to share the data related to Investments, SuperTax can use the access tokens only to call the APIs related to Transactions.
{
  "auth_time": 1662368402,
  "iss": "<tenant_url>/test/",
  "iat": 1662368491,
  "aud": "<client_id>",
  "unique_name": "monika.a",
  "exp": 1662386491,
  "sub": "<user_uuid>",
  "nonce": "abc",
  "scope": "openid Address Transactions"
}
  • The ID token shared with the SuperTax doesn't contain the data related to location. Only address data is shared with SuperTax.
{
  "auth_time": 1662368402,
  "iss": "<tenant_url>/test/",
  "iat": 1662368491,
  "aud": "<client_id>",
  "unique_name": "monika.a",
  "exp": 1662386491,
  "sub": "<user_uuid>",
  "nonce": "abc",
  "Address": "500081"
}

The client can use the /OAuth2/Confirm API and build their customized screen to get the consent of the user and return the consent to the authorization server.

The result value can be either 0 or 1. 0 implies user has denied the request and 1 implies user has approved the request.

GET {tenant_url}/OAuth2/Confirm/{application_id}?bounce={bounce_value}&result=1&scopes=Location Transactions&deniedScopes=Address Investments

On successful request, the user will be redirected back to the application.

Note: The user should authenticate first to CyberArk Identity before approving/denying the consent.