Consent Token
The Consent Token is a JWT used in the Consent Protocol to prove a user has granted their consent for an application to access the data provided by a data source. When the user has granted the consent, the consent provider can issue a consent token to the app. The application includes the consent token in the X-Consent-Token header in the requests it makes to the product gateway, which forwards the header to the productizer. The productizer is responsible for validating the token and handling access control to the data it provides. Below are details on fields or claims included in the header and body of the token.
{
"header": {
"v": "0.2",
"tid": "36bd899b-8b43-484c-ac58-a4da7e32273d",
"kid": "0fcf0244-69fa-454d-a124-0bd8bc05430",
"alg": "RS256",
"typ": "JWT",
"jku": "https://consent.sandbox.ioxio-dataspace.com/.well-known/jwks.json"
},
"body": {
"iss": "https://consent.sandbox.ioxio-dataspace.com",
"sub": "debade8a-091d-42da-9b0c-e61f9471e2c3",
"subiss": "https://login.sandbox.ioxio-dataspace.com",
"acr": "fake-auth",
"app": "bb8c7f74-0855-42e1-ba09-70bb27103ded",
"appiss": "https://login.sandbox.ioxio-dataspace.com",
"dsi": "dpp://source@sandbox.ioxio-dataspace.com/draft/Weather/Current/Metric",
"exp": 1678492800,
"iat": 1678406400
}
}
The version of the Consent Token standard the token follows.
Must be one of:
- "0.2"
"0.2"
A consent token ID, It is unique for each consent the user has granted to some app. Multiple consent token JWTs can however be issued for the same consent with for example different iat and exp, but sharing the same tid.
"36bd899b-8b43-484c-ac58-a4da7e32273d"
The key ID used to sign the token. A key with the same kid must be found in the JWKS pointed to by the consent configuration.
"0fcf0244-69fa-454d-a124-0bd8bc05430"
The algorithm the token is signed with.
Must be one of:
- "RS256"
"RS256"
The algorithm the token is signed with, must be RS256
Must be one of:
- "JWT"
"JWT"
JWK Set URL where the key the token was signed with can be found. Note that apps or productizers that validate the token must not trust this header alone, as that would allow bypassing the validation. If the key is loaded based on this, the URL must be validated to match the jwks_uri in the consent-configuration. If that is done, this can be used in libraries or online services like for example JWT.io to quickly and easily validate the token.
Must be at least 1 characters long
Must be at most 2083 characters long
"https://consent.sandbox.ioxio-dataspace.com/.well-known/jwks.json"
The issuer of the token. This is the base URL for the consent provider.
Must be at least 1 characters long
Must be at most 2083 characters long
"https://consent.sandbox.ioxio-dataspace.com"
The sub from the ID Token of the user.
"debade8a-091d-42da-9b0c-e61f9471e2c3"
The iss from the ID Token of the user.
"https://login.sandbox.ioxio-dataspace.com"
The acr from the ID Token of the user.
"fake-auth"
The app identifier (OIDC Client ID of the app).
"bb8c7f74-0855-42e1-ba09-70bb27103ded"
The iss (OIDC issuer) at which the app is registered.
"https://login.sandbox.ioxio-dataspace.com"
Data source identifier for which the token proves consent.
Must be at least 1 characters long
Must be at most 65536 characters long
"dpp://source@sandbox.ioxio-dataspace.com/draft/Weather/Current/Metric"
The unix timestamp at which the token expires. Must not be in the past.
1678492800
The unix timestamp at which the token was issued. It must not be in the future.
1678406400