Consent Token
The Consent Token is a
JWT used
in the
Consent Protocol
to prove a user has granted their consent for an application to access the data provided by a
data source. When the user has granted the consent, the consent provider can issue a consent
token to the app. The application includes the consent token in the
X-Consent-Token
header in the requests it makes to the product gateway, which
forwards the header to the productizer. The productizer is responsible for validating the token
and handling access control to the data it provides. Below are details on fields or claims
included in the header and body of the token.
{
"header": {
"v": "0.2",
"tid": "36bd899b-8b43-484c-ac58-a4da7e32273d",
"kid": "0fcf0244-69fa-454d-a124-0bd8bc05430",
"alg": "RS256",
"typ": "JWT",
"jku": "https://consent.sandbox.ioxio-dataspace.com/.well-known/jwks.json"
},
"body": {
"iss": "https://consent.sandbox.ioxio-dataspace.com",
"sub": "debade8a-091d-42da-9b0c-e61f9471e2c3",
"subiss": "https://login.sandbox.ioxio-dataspace.com",
"acr": "fake-auth",
"app": "bb8c7f74-0855-42e1-ba09-70bb27103ded",
"appiss": "https://login.sandbox.ioxio-dataspace.com",
"dsi": "dpp://source@sandbox.ioxio-dataspace.com/draft/Weather/Current/Metric",
"exp": 1678492800,
"iat": 1678406400
}
}
The version of the Consent Token standard the token follows.
Must be one of:
- "0.2"
"0.2"
A consent token ID, It is unique for each consent the user has granted to some
app. Multiple consent token JWTs can however be issued for the same consent with
for example different iat
and exp
, but sharing the
same tid
.
"36bd899b-8b43-484c-ac58-a4da7e32273d"
The key ID used to sign the token. A key with the same kid must be found in the JWKS pointed to by the consent configuration.
"0fcf0244-69fa-454d-a124-0bd8bc05430"
The algorithm the token is signed with.
Must be one of:
- "RS256"
"RS256"
The algorithm the token is signed with, must be RS256
Must be one of:
- "JWT"
"JWT"
JWK Set URL where the key the token was signed with can be found. Note that apps
or productizers that validate the token must not trust this header alone, as
that would allow bypassing the validation. If the key is loaded based on this,
the URL must be validated to match the jwks_uri
in the
consent-configuration. If that is
done, this can be used in libraries or online services like for example
JWT.io to quickly
and easily validate the token.
Must be at least 1
characters long
Must be at most 2083
characters long
"https://consent.sandbox.ioxio-dataspace.com/.well-known/jwks.json"
The issuer of the token. This is the base URL for the consent provider.
Must be at least 1
characters long
Must be at most 2083
characters long
"https://consent.sandbox.ioxio-dataspace.com"
The sub
from the ID Token of the user.
"debade8a-091d-42da-9b0c-e61f9471e2c3"
The iss
from the ID Token of the user.
"https://login.sandbox.ioxio-dataspace.com"
The acr
from the ID Token of the user.
"fake-auth"
The app identifier (OIDC Client ID of the app).
"bb8c7f74-0855-42e1-ba09-70bb27103ded"
The iss
(OIDC issuer) at which the app is registered.
"https://login.sandbox.ioxio-dataspace.com"
Data source identifier for which the token proves consent.
Must be at least 1
characters long
Must be at most 65536
characters long
"dpp://source@sandbox.ioxio-dataspace.com/draft/Weather/Current/Metric"
The unix timestamp at which the token expires. Must not be in the past.
1678492800
The unix timestamp at which the token was issued. It must not be in the future.
1678406400