You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

A key feature of the OIDC Provider from BankID is to handle consent from the end-user to authorize OIDC Clients to access Protected Resources on behalf of the end-user.  Consent handling takes place on a per scope basis and the end-user normally gives his consent in a dialogue tailored to the scope(s) and Protected Resources in question. Since consent handling happens after the authentication phase of the message flow, any consent dialogue is the same across all supported IDPs. This results in uniform consent handling and is a key characteristic of the OIDC Provider from BankID.

The ability to handle partial consents is another key characteristic of the OIDC Provider from BankID. The request from an OIDC Client for a given scope will most oftenly concern several claims. Partial consent referes to situation when the end-user gives his consent for some of the affected claims, but not all of them. The OIDC Provider will in such a case return a successful authentication, at the same time making note of the sub-set of claims that was actually consented. Consented claims are made available to the OIDC Client subsequently, either as part of the ID Token or as part of the response from an endpoint of a Resource Server associated with any kind of Protected Resource supported by the OIDC Provider. Un-consented claims are not made available to the requesting OIDC Client.

As suggested by the figure on message flow, generic logic for consent handling is performed by the OIDC Provider together with the OIDC GUI componen. The specific GUI for consent handling is on the other hand governed by external components as illustrated for the TINFO service in the example flow. Each kind of Protected Resource supported by the OIDC Provider has its own external component for consent handling. The OpenID Connect Provider from BankID uses web-client technology from BankID to reduce the surface of attack on GUIs related to consent handling. Ensuring that the consent shown to the user is not spoofed and corresponds to the authorization actually granted is key to maintain trust in the OIDC Provider. This challenge corresponds to the classical WYSIWYS-challenge associated with digital signing. Know-how from the BankID signing service is used to build a high-trust solution for consent handling in the OIDC Provider.

See further details on consent handling for each of the supported kinds of Protected Resources.

  • No labels