Remote consent applications with OAuth

The OAuth 2.0 Authorization Code Grant involves getting a user confirmation - a so-called consent - before granting an access token to the OAuth client.

The consent screen is usually shown by the OAuth authorization server - in our case Airlock IAM - and asks the end-user whether certain scopes may be granted to a third party (the OAuth Client).

This might look as follows:


However, there are situations (e.g. PSD2) where information from the business domain (e.g. bank accounts) must be involved in the consent step.

In order to support such situations, Airlock IAM supports the concept of Remote Consent as described on this chapter.