Skip to content

Consent Flow in Sign-in Workflow

Introduction

The consent workflow allows users to authorize third-party applications to access data/resources. It presents detailed scope descriptions and purposes, enabling users to make informed decisions about granting access. This transparent, user-friendly process empowers users to control their data with third-party applications.

Note: This functionality applies only to third-party applications using one of these grant types:

  • Authorization Code
  • Authorization Code with PKCE
  • Device Authorization Grant
  • Applications are classified as third-party if they are not part of the Trimble account hierarchy.

Scope Management

The Cloud Console allows defining scopes for the API/resource-server as part of the provider workflow. Scopes define the level of access requested by an application and are formatted as:

  • <resource-name>:<resource-type>.<action>

Example:

  • files-service:files.read

Trimble Identity (TID) also supports dynamic scopes for fine-grained access, allowing requests for specific resources. These are formatted as:

  • <resource-name>:<resource-type>.<action>:<id>#<human_readable_file_name>

Example:

  • files-service:files.read:12345#document.pdf

Scope Request Types

  • Entire Resource Server (e.g., files-service):

    https://stage.id.trimblecloud.com/oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=openid%20files-service
  • Resource Types (e.g., files-service:files):

    https://stage.id.trimblecloud.com/oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=openid%20files-service:files
  • Specific Resource Actions (e.g., files-service:files.read):

    https://stage.id.trimblecloud.com/oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=openid%20files-service:files.read
  • Specific Resources (Dynamic Scopes):

    https://stage.id.trimblecloud.com/oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=openid%20files-service:files.read:12345#document.pdf

  • User consent is for the entire set of scopes requested in the /authorize call.
  • Users can approve or reject the entire request.
  • Consent is a one-time activity per scope per application, stored in TID’s data store until revoked.
  • Upon approval, the user is logged into the application.
  • The authentication token contains the approved scopes in JWT claims.

Example of user token with scope claim:

scope: "file:file.edit:14678#sketchup.skp file:spaces.write file:spaces.readonly"
  • A default scope description is shown: “See your user profile data including your given name, last name, email address, locale, and profile picture.”
  • The scopes requested by the application, along with detailed descriptions and purposes for each scope, are presented to the user.

tid-userscopes_consent_screen_Sign-in.png


If a scope is defined with the attribute always show consent set to true, the user will be presented with the consent screen on every login. This ensures that users are continuously informed and can reassess their consent decisions for specific scopes that require ongoing approval.

tid-userscopes_always_show_consent.png


Notification Email

After the user allows the consent by approving the requested scopes on the consent screen, a notification email is sent to the user. This email serves to confirm the user’s action and provides a record of the consent given, ensuring transparency and keeping the user informed about the access permissions granted to the third-party application.

tid-userscopes_notification_email.png


If the user denies consent, they are redirected to the error redirect URI with an error message:

<redirect_uri>?error=consent_required&error_description=User+declined+the+consent

Users can review and revoke previously granted consents at any time from their account settings or profile page. Once consent is revoked, the application will need to request consent again the next time access is required.


Security and Privacy

All consent decisions and scope grants are securely stored and managed by TID. User data and granted permissions are never shared with unauthorized parties.


Consent is typically valid until revoked by the user. However, if a scope is marked as always show consent, the user will be prompted for consent on every login. TID may also require re-consent if scopes change or as part of periodic security reviews.