Consent Service

Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.

Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.

The Consent Service contains the properties that affect the overall operation of the Directory Server Consent API.

Relations from This Component Properties dsconfig Usage

Relations from This Component

The following components have a direct aggregation relation from Consent Services:

Properties

The properties supported by this managed object are as follows:


General Configuration Basic Properties: Advanced Properties:
 enabled  None
 base-dn
 bind-dn
 search-size-limit
 consent-record-identity-mapper
Authorization Basic Properties: Advanced Properties:
 service-account-dn  None
 unprivileged-consent-scope
 privileged-consent-scope
 audience

Basic Properties

enabled

Property Group
General Configuration
Description
Indicates whether the Consent Service is enabled. If the Consent Service is not enabled, then it is not available for processing consent requests. Note that the Consent HTTP Servlet Extension must also be assigned to an active HTTP Connection Handler.
Default Value
false
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

base-dn

Property Group
General Configuration
Description
The base DN under which consent records are stored.
Default Value
If this property is not specified, then Consent Service will be considered unavailable.
Allowed Values
A valid DN.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

bind-dn

Property Group
General Configuration
Description
The DN of an internal service account used by the Consent Service to make internal LDAP requests. The Consent Service uses the DN specified by the bind-dn property to make internal LDAP requests for consent record entries. This DN must have read, write, add, and delete access to the DN specified by the base-dn property.
Default Value
If this property is not specified, then Consent Service will be considered unavailable.
Allowed Values
A valid DN.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-size-limit

Property Group
General Configuration
Description
The maximum number of consent resources that may be returned from a search request. If the number of search results for a given request exceeds this value, an error will be returned to the client indicating that the search matched too many results.
Default Value
100
Allowed Values
An integer value. Lower limit is 1. Upper limit is 100000 .
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

consent-record-identity-mapper

Property Group
General Configuration
Description
If specified, the Identity Mapper(s) that may be used to map consent record subject and actor values to DNs. This is typically only needed if privileged API clients will be used. This property specifies one or more Identity Mappers that are used to map explicitly provided subject and actor values to DNs. Typically, this is only needed when a privileged client manages consent records on behalf of other users. Unprivileged clients, which only act on consent records for the currently authenticated user, typically omit the subject and actor fields so that the Consent Service may infer those values, including corresponding DNs, from the authentication context.

When a consent record is created or updated and the subject or actor fields are not omitted by the client, the Consent Service will consult this list of Identity Mappers to determine the equivalent DN for any subject or actor value in the request, checking each Identity Mapper in sequence until a matching DN is found. If a matching DN is found, it will be used as the value of the subjectDN or actorDN field as appropriate.

Default Value
Subject and actor values in consent record requests will be mapped to DN values exclusively based on the authenticated identity.
Allowed Values
The DN of any Identity Mapper.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

service-account-dn

Property Group
Authorization
Description
The set of account DNs that the Consent Service will consider to be privileged. Any DN in this group may authenticate to the Consent Service using HTTP Basic auth (if it is enabled). Such accounts will be considered privileged and will be granted full access to consent resources.

If using bearer token authentication, then a client is instead considered privileged based on the privileged-consent-scope property.

Default Value
If no service account DNs are specified, then no clients authenticating using HTTP Basic auth will be considered to be privileged by the Consent Service.
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

unprivileged-consent-scope

Property Group
Authorization
Description
The name of a scope that must be present in an access token accepted by the Consent Service for unprivileged clients.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

privileged-consent-scope

Property Group
Authorization
Description
The name of a scope that must be present in an access token accepted by the Consent Service if the client is to be considered privileged.
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

audience

Property Group
Authorization
Description
A string or URI that identifies the Consent Service in the context of OAuth2 authorization. If present, this value must be present in the audience claim of any access tokens accepted by the Consent Service. Providing an audience value is recommended, as it ensures that the Consent Service does not accept access tokens intended for another service.
Default Value
If this property is not specified, then the Consent Service will ignore the audience claim of any access tokens that it accepts.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To view the Consent Service configuration:

dsconfig get-consent-service-prop
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the Consent Service configuration:

dsconfig set-consent-service-prop
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...