The Consent Service configuration is used to control authorization behavior and determines where consent records are stored in the PingDirectory Server. The service properties are configured with the dsconfig set-consent-service-prop command. The consent service configuration script configures the consent service properties as follows:
$ bin/dsconfig set-consent-service-prop \
  --set enabled:true \
  --set base-dn:ou=consents,dc=example,dc=com \
  --set "bind-dn:cn=consent service account" \
  --set unprivileged-consent-scope:urn:pingdirectory:consent \
  --set privileged-consent-scope:urn:pingdirectory:consent_admin \
  --set "consent-record-identity-mapper:User ID Identity Mapper"

The following are Consent Service properties.

Property Description Required to enable service
enabled If set to true, enables the Consent Service for handling client requests. Yes
base-dn Specifies a container DN for consent record entries. Yes
bind-dn Specifies an internal service account used by the Consent Service to perform LDAP operations. Yes
service-account-dn Specifies one or more DNs of requesters that will be considered privileged when using basic authentication. If not defined, a requester will only be considered privileged if it is mapped to a DN with the bypass-acl privilege. Optional. No
unprivileged-consent-scope Specifies the name of the scope required for bearer tokens representing unprivileged requesters. Yes
privileged-consent-scope Specifies the name of the scope required for bearer tokens representing privileged requesters. Yes
consent-record-identity-mapper Specifies one or more identity mappers used to map consent record subject and actor values to DNs. By default, these values are inferred from the authentication context, such as the bearer token subject. Optional. No
audience Specifies an audience claim value that the Consent Service will require to be present in bearer tokens that it accepts. Optional. No

For the Consent Service to report itself as available to clients, the following must be true:

  • The Consent Service must be enabled.
  • The Consent Service base DN must be configured and must exist.
  • The internal service account must be configured and must exist.
  • The internal service account must have the right to read, add, modify, and delete entries under the Consent Service base DN.