A consumer who exists in the data store has the right to revoke their account from an application. However, their account may be associated with multiple applications. Therefore, when they request to be revoked from a specific application their account should not be completely deleted from the database, instead it should be revoked from only that application.
Next Identity provides granular access grant for each application individually. When a consumer creates an account, logs in, or is pre-registered for an application, they are either asked to provide consent or the consent is implicit based on the policies. The access grant for each application is accessible to the application to check as needed, however Next Identity also provides a user interface for managing their application access.
To manage access, a consumer can navigate to their edit profile screen and revoke access from the current application:
In the client settings, the menu option for Revoke access page is mapped in the profile_menu settings:
- If the user selects the Deny button, they are logged off and returned to login page.
- If the user selects the Allow button, the app calls the API endpoint for account/token. The
/tokenendpoint will then call the user
/property-accessendpoint to update necessary records. The token endpoint will then return an access token and the user will be redirected to the Personal Details page.
Since an application can be represented by multiple client IDs, the concept of ‘property’ allows for the user access to be set for all components of that application.
If a user revokes their access from an application, their session will immediately terminate.
Updated about 1 month ago