In the Remote Consent Protocol, the Remote Consent Application sends a JWT with the set of accepted scopes to Airlock IAM. IAM accepts the JWT if the signature is correct and can be decrypted. The JWT is transported via the end user's browser in an HTTP redirect. This implies that whoever can correctly sign such a JWT can determine the scopes accepted by the end-user!
You must ensure the following:
- The public key configured in IAM used to verify the JWT signature must be authentic (= you must be really sure that it belongs to the Remote Consent Application).
- The private key used in the Remote Consent Application used to sign JWTs must remain secret.
We strongly recommend using URL encryption on the Airlock Gateway mapping for the Remote Consent Application.