Remote consent configuration
Remote Consent Protocol configuration
- Go to:
Loginapp >> OAuth 2.0/OIDC Authorization Server >> {{AS-ID}} >> OAuth 2.0 Grants/OIDC Flows >> OAuth 2.0 Authorization Code Grant | OIDC Authorization Code / Hybrid Flow - Go to the section User Interface.
- Set OAuth 2.0 Remote Consent as the value for the Consent property and follow the information in the Config Editor for the configuration of this plugin.
Configure OAuth 2.0 Remote Consent
Risk
For security reasons it is strongly recommended to:
- Protect the Remote Consent Application by Airlock Gateway (just as any other web application)
- Restrict access to the OAuth 2.0 Remote Consent to a role (e.g. “remote_consent”)
- Configure the role in IAM's remote consent property “Airlock Gateway Role for Remote Consent Site”.
Risk
In the Remote Consent Protocol, the Remote Consent Application sends a JWT with the set of accepted scopes to Airlock IAM. IAM accepts the JWT if the signature is correct and can be decrypted. The JWT is transported via the end user's browser in an HTTP redirect. This implies that whoever can correctly sign such a JWT can determine the scopes accepted by the end-user!
You must ensure the following:
- The public key configured in IAM used to verify the JWT signature must be authentic (= you must be really sure that it belongs to the Remote Consent Application).
- The private key used in the Remote Consent Application used to sign JWTs must remain secret.
We strongly recommend using URL encryption on the Airlock Gateway mapping for the Remote Consent Application.
Further information and links
- See Remote consent protocol for more information on the sequence diagram of the remote consent protocol.