• Airlock Secure Access Hub
  • About this document
  • About Airlock IAM
  • IAM 8.4 release notes
  • Security best practices
  • Installation and upgrade
  • Operation
  • Initial configuration
  • Configuration management
  • Authentication
  • Self-services
  • Target applications
  • OAuth and OIDC
  • SAML
  • API access control
  • Flows (Airlock IAM concept)
  • Loginapp Configuration
    • Loginapp REST API
    • Loginapp UI
    • One-Shot authentication
    • OAuth / OIDC
      • OAuth AS/OP Configuration
        • Grants and flows
        • Dynamic client registration
        • Authentication flows
        • Scope policies and filtering
        • ACR in flows
        • PAR configuration
        • PKCE configuration for IAM as OAuth 2.0/OIDC authorization server
        • Client authentication configuration private_key_jwt
        • Local consent
        • Remote consent
        • OIDC session management
        • Certificate-Bound Access Tokens
        • Loginapp UI configuration
        • Non-interactive OIDC authentication
        • Azure AD B2C
        • Sharepoint SE integration
        • Performance Tuning
      • OAuth Client / RP Configuration
    • HTTP Basic Auth access
    • Event notification
  • Adminapp Configuration
  • Service Container Configuration
  • Transaction Approval Configuration
  • IAM REST APIs
  • Customizing UIs and texts
  • Third-party licenses
  1. Loginapp Configuration
  2. OAuth / OIDC
  3. OAuth AS/OP Configuration
  4. Remote consent

Remote consent configuration

Remote Consent Protocol configuration

  1. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Server >> {{AS-ID}} >> OAuth 2.0 Grants/OIDC Flows >> OAuth 2.0 Authorization Code Grant | OIDC Authorization Code / Hybrid Flow
  2. Go to the section User Interface.
  3. Set OAuth 2.0 Remote Consent as the value for the Consent property and follow the information in the Config Editor for the configuration of this plugin.

Configure OAuth 2.0 Remote Consent

 
Risk

For security reasons it is strongly recommended to:

  • Protect the Remote Consent Application by Airlock Gateway (just as any other web application)
  • Restrict access to the OAuth 2.0 Remote Consent to a role (e.g. “remote_consent”)
  • Configure the role in IAM's remote consent property “Airlock Gateway Role for Remote Consent Site”.
 
Risk

In the Remote Consent Protocol, the Remote Consent Application sends a JWT with the set of accepted scopes to Airlock IAM. IAM accepts the JWT if the signature is correct and can be decrypted. The JWT is transported via the end user's browser in an HTTP redirect. This implies that whoever can correctly sign such a JWT can determine the scopes accepted by the end-user!

You must ensure the following:

  • The public key configured in IAM used to verify the JWT signature must be authentic (= you must be really sure that it belongs to the Remote Consent Application).
  • The private key used in the Remote Consent Application used to sign JWTs must remain secret.

We strongly recommend using URL encryption on the Airlock Gateway mapping for the Remote Consent Application.

Further information and links

  • See Remote consent protocol for more information on the sequence diagram of the remote consent protocol.