The following client application scenarios are available for determining how the Consent Service should be configured to meet your business needs.

Directly managed consents

In this scenario, one or more client applications provide provide an interface for individuals to directly manage their own consent records. These applications can only manage consents for the currently authenticated user. In addition, there is also a client application for consent administrators. An OAuth 2 authorization server grants access tokens that the applications uses to access the Consent API.

Configuration for this scenario includes:

  1. Configure an OAuth 2 authorization server to issue a urn:pingdirectory:consent scope to individuals and a urn:pingdirectory:consent_admin scope to consent administrators.
  2. Create an identity mapper to map subject identifiers used by the authorization server to LDAP DNs used by the PingDirectory Server.
  3. Configre an access token validator to validate tokens issued by the OAuth 2 authorization server.
  4. Configure the Consent HTTP Servlet Extension to disable HTTP basic authentication and restart the HTTPS Connection Handler.
  5. Configure the Consent Service to use the OAuth scopes and token validator.

Indirectly managed consents (basic authentication)

In this scenario, an application uses a privileged service account to manage its users' consents. The application's privileged account can access any consent record, which gives the application the ability to perform operations that an individual user cannot. The following include steps the setup needed for the PingDataGovernance Server's Open Banking Account Requests service to use the Consent Service as its backend.

Configuration for this scenario includes:

  1. Create a service account for the application.
  2. Configure the Consent HTTP Servlet Extension to enable HTTP basic authentication and restart the HTTPS Connection Handler.
  3. Create an identity mapper to map consent record subject and actor attribute values to LDAP DNs. This is optional.
  4. Configure the Consent Service to use the application's service account, and optionally the identity mapper.