13.3.1.3.1.2. Remote consent configuration

The Remote Consent Protocol configuration depends on whether the JSP-Loginapp or the Logianapp REST API/UI is used:

  • JSP-Loginapp
  • Loginapp or MAIN SETTINGS >> Application Settings >> Some OAuth Target Application >> OAuth 2.0 Authorization Code Grant Identity Propagator
  • or: search for OAuth 2.0 Authorization Code Grant Identity Propagator in the  Config Editor
  • Loginapp REST UI
  • Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Server >> {{AS-ID}} >> OAuth 2.0 Grants/OIDC Flows >> OAuth 2.0 Authorization Code Grant | OIDC Authorization Code Flow
  • Go to the section User Interface

Configure OAuth 2.0 Remote Consent

OAuth 2.0 Remote Consent as value for the Consent property and follow the information in the Config Editor for configuration.Choose the plugin

For security reasons it is strongly recommended to:

  • Protect the Remote Consent Application by Airlock Gateway (WAF) (just as any other web application)
  • Restrict access to the OAuth 2.0 Remote Consent to a role (e.g. "remote_consent")
  • Configure the role in IAM's remote consent property "Airlock Gateway (WAF) Role for Remote Consent Site".

In the Remote Consent Protocol, the Remote Consent Application sends a JWT with the set of accepted scopes to Airlock IAM. IAM accepts the JWT if the signature is correct and can be decrypted. The JWT is transported via the end user's browser in an HTTP redirect. This implies that whoever is able to correctly sign such a JWT can determine the scopes accepted by the end-user!

You must assure the following:

  • The public key configured in IAM used to verify the JWT signature must be authentic (= you must be really sure that it belongs to the Remote Consent Application).
  • The private key used in the Remote Consent Application used to sign JWTs must remain secret.

We strongly recommend using URL encryption on the Airlock Gateway (WAF) mapping for the Remote Consent Application.