PingDirectory

Configuring Consent Service scopes

Configure the privileged-consent-scope and unprivileged-consent-scope for the Consent Service.

About this task

The Consent Service checks access tokens for a subject claim and uses an identity mapper to map the value to a distinguished name (DN), called the request DN or auth DN. If no request DN can be mapped, the request is rejected.

The Consent Service only accepts an access token with a scope that it is configured to recognize.

unprivileged-consent-scope

An unprivileged consent scope designates the requester as unprivileged. The scope’s name is configured with the Consent Service’s unprivileged-consent-scope property.

privileged-consent-scope

A privileged consent scope designates the requester as privileged. This is configured using the Consent Service’s privileged-consent-scope property.

The authorization server must also be configured to issue tokens with these scopes.

Steps

  • Configure the privileged-consent-scope and unprivileged-consent-scope for the Consent Service.

    Example:

    $ bin/dsconfig set-consent-service-prop \
      --set unprivileged-consent-scope:consent \
      --set privileged-consent-scope:consent_admin