External consent provider integration

Edit online

You can use third-party consent providers to manage data usage.

Overview

Note: External consent providers is a requestable feature, CI-131365. To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. If you have permission to create a support ticket, create a support ticket with the feature number. Note: IBM® Verify trial subscriptions cannot create support tickets.

IBM Verify supports integration with external consent management systems through real-time webhooks. This function enables organizations to use third-party consent providers for managing user-data usage approvals while maintaining seamless authentication flows.

Consent lifecycle

  • The integration uses three real-time webhook endpoints that correspond to the consent lifecycle that are represented as webhook resources:
data-usage-approval (dua)

This endpoint is triggered to check the status of consent and to perform any additional policy checks. The consent provider evaluates the user's consent status and returns a decision.

data-subject-presentation (dsp)

This endpoint is triggered to present the user with the consent details. The consent provider generates information that is presented on a consent page or prompt.

store-consents (consents)

This endpoint is triggered to store the consent details. The consent provider stores the consent details in its own consent management system.

Achitecture

The following diagram illustrates the consent lifecycle:
Figure 1. External consent provider
The diagram shows the consent flow through the endpoints
Often, the request or response contract defined by IBM Verify does not match the contract defined by the consent provider. In such cases, the outgoing request and incoming response can be customized by using either webhook transforms or a mediator that is illustrated in the diagram. The mediator is operated outside of IBM Verify and can, for example, be a serverless function that contains the transformation logic.

Sample implementation

See the sample mediator app repository for:
  • Complete Node.js implementation of external consent provider webhook application.
  • Basic endpoints with in-memory storage.
  • IBM Verify Privacy SDK integration that uses an IBM Verify tenant as a consent management system. This integration does not have to be the same tenant used for authentication. In this mode, this application acts as a mediator that handles any transformation of payloads.
  • Request validation and error handling.
  • Example request and response payloads.
  • Postman collection for testing.
  • Configuration guide for IBM Verify.

API reference

Additional resources