• Airlock Secure Access Hub
  • About this document
  • About Airlock IAM
  • IAM 8.3 release notes
  • Security best practices
  • Installation and upgrade
  • Operation
  • Initial configuration
  • Configuration management
  • Authentication
  • Self-services
  • Target applications
  • OAuth and OIDC
  • SAML
  • API access control
  • Flows (Airlock IAM concept)
  • Loginapp Configuration
    • Loginapp REST API
    • Loginapp UI
    • One-Shot authentication
    • OAuth / OIDC
      • OAuth AS/OP Configuration
        • Grants and flows
        • Dynamic client registration
        • Authentication flows
        • Scope policies and filtering
        • ACR in flows
        • PAR configuration
        • PKCE configuration for IAM as OAuth 2.0/OIDC authorization server
        • Client authentication configuration private_key_jwt
        • Local consent
          • Consent persister configuration
        • Remote consent
        • OIDC session management
        • Certificate-Bound Access Tokens
        • Loginapp UI configuration
        • Non-interactive OIDC authentication
        • Azure AD B2C
        • Sharepoint SE integration
        • Performance Tuning
      • OAuth Client / RP Configuration
    • HTTP Basic Auth access
    • Event notification
  • Adminapp Configuration
  • Service Container Configuration
  • Transaction Approval Configuration
  • IAM REST APIs
  • Customizing UIs and texts
  • Third-party licenses
  1. Loginapp Configuration
  2. OAuth / OIDC
  3. OAuth AS/OP Configuration
  4. Local consent
  5. Consent persister configuration

OAuth 2.0 OIDC consent persister configuration

To persist OAuth 2.0 consents granted by users follow the instructions below.

This feature is optional and the authorization server will continue to work without persisted consents.

Prerequisites

To use persisted consent, the database schema must be upgraded to at least Airlock IAM 8.2. For more information on database schema upgrades see Relational databases for IAM.

Configuration

Configuration of the Loginapp:

  1. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> <AS name> >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code/Hybrid Flow
  2. In section User Interface in property Consent create and edit an OAuth 2.0 Local Consent plugin.
  3. In property Storage create and edit an OAuth 2.0 Consent Storage plugin.
  4. In property OAuth 2.0 Consent Repository create and edit an Oauth 2.0 Consent Repository plugin.
  5. In property SQL Data Source select an existing JDBC Connection Pool plugin.
  6. The Loginapp is ready to persist consent in all OAuth 2.0 Consent Step plugins.

Configuration of the Adminapp:

  1. Go to:
    Adminapp >> Users
  2. In section User Details Page - Authentication Tokens (Credentials) in property Authentication Tokens (Credentials) create or select and edit OAuth 2.0 Token Controller.
  3. In property OAuth 2.0 Consent Repository select the previously configured OAuth 2.0 Consent Repository plugin.
  4. The Adminapp has access to the consent granted by users in the Loginapp.

Authorize administrators:

  1. Go to:
    Adminapp >> Access Control
  2. In section User Management in property Manage OAuth 2.0 User Consents add all administrator roles that should have access to view and delete user-granted consents.
  3. Administrators are authorized to manage OAuth 2.0 consent.

Create Consent Consistency User Change Listener plugin:

  1. Go to:
    MAIN SETTINGS >> Data Sources >> User Data Source >> Database User Persister
  2. In section Event Listener Settings in property User Change Event Listeners create an OAuth 2.0 / OIDC Consent Consistency User Change Listener plugin.
  3. In property OAuth 2.0 Consent Repository select the previously configured OAuth 2.0 Consent Repository plugin.
  4. User deletion and username change events will now be synchronized with the persisted user consent.

Further information and links

Internal links:

  • See OAuth 2.0 consent for general information about local and remote consent solutions with IAM.
  • See Local consent for general information about persisted local consents.