OAuth 2.0 OIDC consent persister configuration

To persist OAuth 2.0 consents granted by users follow the instructions below.

This feature is optional and the authorization server will continue to work without persisted consents.

Prerequisites

To use persisted consent, the database schema must be upgraded to at least Airlock IAM 8.2. For more information on database schema upgrades see Relational databases for IAM.

Configuration

Configuration of the Loginapp:

  1. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> <AS name> >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code/Hybrid Flow
  2. In section User Interface in property Consent create and edit an OAuth 2.0 Local Consent plugin.
  3. In property Storage create and edit an OAuth 2.0 Consent Storage plugin.
  4. In property OAuth 2.0 Consent Repository create and edit an Oauth 2.0 Consent Repository plugin.
  5. In property SQL Data Source select an existing JDBC Connection Pool plugin.
  6. The Loginapp is ready to persist consent in all OAuth 2.0 Consent Step plugins.

Configuration of the Adminapp:

  1. Go to:
    Adminapp >> Users
  2. In section User Details Page - Authentication Tokens (Credentials) in property Authentication Tokens (Credentials) create or select and edit OAuth 2.0 Token Controller.
  3. In property OAuth 2.0 Consent Repository select the previously configured OAuth 2.0 Consent Repository plugin.
  4. The Adminapp has access to the consent granted by users in the Loginapp.

Authorize administrators:

  1. Go to:
    Adminapp >> Access Control
  2. In section User Management in property Manage OAuth 2.0 User Consents add all administrator roles that should have access to view and delete user-granted consents.
  3. Administrators are authorized to manage OAuth 2.0 consent.

Create Consent Consistency User Change Listener plugin:

  1. Go to:
    MAIN SETTINGS >> Data Sources >> User Data Source >> Database User Persister
  2. In section Event Listener Settings in property User Change Event Listeners create an OAuth 2.0 / OIDC Consent Consistency User Change Listener plugin.
  3. In property OAuth 2.0 Consent Repository select the previously configured OAuth 2.0 Consent Repository plugin.
  4. User deletion and username change events will now be synchronized with the persisted user consent.

Further information and links

Internal links:

  • See OAuth 2.0 consent for general information about local and remote consent solutions with IAM.
  • See Local consent for general information about persisted local consents.