Authorization
The Consent Service’s distinction between privileged
and unprivileged
requesters determines the type of operations that can be performed by requesters.
During the authorization phase, the Consent servlet performs checks on both the bearer token claims, if present, and the auth DN
to determine if the requester is privileged or unprivileged. These are summarized in the following table.
Requester type | Description | Access determined by | Can create consent records | Can update consent records | Can delete consent records |
---|---|---|---|---|---|
|
Requesters with no authority to operate on consent records other than their own. |
A requester is considered If using bearer token authentication, the access token must include a scope named by the |
Yes. The subject/subjectDN and actor/actorDN values will be set based on the requester. |
Yes, if the requester DN matches the subject DN. |
No |
|
A requester with the authority to perform any operation on any consent record. |
When using basic authentication, a requester is considered If using bearer token authentication, the access token must include a scope named by the |
Yes |
Yes |
Yes |
Bearer token check
If a bearer token was used, the following checks are performed:
-
If the Consent Service’s
audience
property is configured, the bearer token’s audience claim must match the configured value. -
If the bearer token contains a scope matching the Consent Service’s
privileged-scope-name
property, then the requester is considered privileged. -
If the bearer token doesn’t contain a scope matching the Consent Service’s
privileged-scope-name
property, the bearer token must have a scope matching the Consent Service’sunprivileged-scope-name
property, and the requester is considered unprivileged.
Basic authentication check
If basic authentication is used, the following checks are performed:
-
If the
auth DN
has the Lightweight Directory Access Protocol (LDAP) privilegebypass-acl
, the requester isprivileged
. -
If the
auth DN
is listed in the Consent Service’sservice-account-dn
property, the requester isprivileged
. -
If the
auth DN
isn’t listed in the Consent Service’sservice-account-dn
property, the requester is consideredunprivileged
.