Skip to main content

Consent Management

Consent is a process where users can grant permission for an application to access a protected resource. For example, an application can request permission to share your name or other personally identifiable information with an external service provider. While this might seem like a simple yes/no question, managing user consent can actually be quite complex. Different countries and regions have varying laws that require websites and apps to get their users' consent to store information about them. These laws vary by jurisdiction and change over time.

BlockID helps manage user consent by keeping a record of all consent decisions in the form of a JSON artifact called a Consent Receipt.

Overview

  • A Consent Receipt is created whenever a user is prompted to make a consent decision
  • Users can choose to grant or deny consent
  • Users can revoke previously granted consent
  • A previously revoked consent may not be re-granted. A new consent decision needs to be made which will override the previous one

As an example, a dummy user is using BlockID to verify their online identity. In order to do so, BlockID needs to share some of the user's personal information with an external service provider.

The user is asked to share their first name and is prompted to either deny or approve the request:

The user decides to approve and grant their consent to share their first name. Once the user clicks approve, a Consent Recipt is created.

Example Consent Receipt. Please note that this example contains dummy information:

{
  "version": "BID-CR-v1.0.0",
  "jurisdiction": "",
  "consentTimestamp": 1670098742,
  "collectionMethod": "Consent Form",
  "consentReceiptID": "225ec592-c26a-471a-95b4-2198f4b21f77",
  "publicKey": "X7QpY823dxoYzr9qZvJ3#z6MkiY62766b1LJkExWMsM3QG4WtX7QpY823dxoYzr9qZvJ3=",
  "language": "en",
  "piiPrincipal": { //user giving the consent
    urn: "urn:uvci:af5vshde843jf831j128fj",
    username: "john.doe@company.com",
    did: "did:key:z6MkiY62766b1LJkExWMsM3QG4WtX7QpY823dxoYzr9qZ",
    publicKey: "1LJkExWMsM3QG4WtX7QpY823dxoYzr9qZvJ3#z6MkiY62766b1LJkExWMsM3QG4WtX7QpY823dxoYzr9qZvJ3",
  }
  "piiControllers": [{//to whom the consent is given
    "type": "serviceprovider", 
    "id": "sp._id",
    "name": "citizenbenefit",
    "entityId": "sp.oidc_config.client_id",
  }],
  "piiProcessor": [{//Tenant / community information 
    "tenantDns": "blockid-trial.1kosmos.com",
    "tenantId": "trial",
    "communityName": "default",
    "communityId": "5f3d8d0cd866fa000000",
  }],
  "policyUrl": "https://www.1kosmos.com/privacy",
  "scopes": [//data consented
    {
      name: "profile",
      uuid: "$uuid",
      claims: ["firstname"],
      consentType: "EXPLICIT",
    }
  ],
  "requestID": "2c438340-fea4-4cae-b84b-0468fdb9d487",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36",
  "clientIP": "123.67.67.1",
  "signature": "z6MkiY62766b1LJkExWMsM3QG4WtX7QpY823dxoYzr9qZvJ3#z6MkiY62766b1LJkExWMsM3QG4WtX7QpY823dxoYzr9qZvJ3"
  "services": []
}

The receipt records the user's decision, the information being shared, along with user account and tenant information.