Consumer Access Control

A consumer who exists in the data store has the right to revoke their account from an application. However, their account may be associated with multiple applications. Therefore, when they request to be revoked from a specific application their account should not be completely deleted from the database, instead it should be revoked from only that application.

Next Identity provides granular access grant for each application individually. When a consumer creates an account, logs in, or is pre-registered for an application, they are either asked to provide consent or the consent is implicit based on the policies. The access grant for each application is accessible to the application to check as needed, however Next Identity also provides a user interface for managing their application access.

To manage access, a consumer can navigate to their edit profile screen and revoke access from the current application:

In the client settings, the menu option for Revoke access page is mapped in the profile_menu settings: revoke_access_index

Revoke access menu.

Revoke access menu.

Revoke access confirmation pop-up menu.

Revoke access confirmation pop-up menu.

For users who revoked access, but then are coming back in, upon re-authentication, the API endpoint user property-access through account/token is called to check the access grant of the user, if the token endpoint response is 422 then the users is prompted to consent on granting access again to that specific application which also displays links to Terms and Conditions and Privacy Policy. The disclaimer also contains the app name which is the settings site_name.

  • If the user selects the Deny button, they are logged off and returned to login page.
  • If the user selects the Allow button, the app calls the API endpoint for account/token. The /token endpoint will then call the user /property-accessendpoint to update necessary records. The token endpoint will then return an access token and the user will be redirected to the Personal Details page.
Allow an application to connect to your account.

Allow an application to connect to your account.

📘

Note on property

Since an application can be represented by multiple client IDs, the concept of ‘property’ allows for the user access to be set for all components of that application.

If a user revokes their access from an application, their session will immediately terminate.