Explicitly permit the collection, storage, and processing of personal data without the need to share credentials.
Consent gives a user the ability to authorize the scope of operation(s) a client (i.e. an application) can perform when accessing their resources whilst acting on their behalf.
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share my experience building the modern Authorization paradigm of Consent into modern applications.
User Choice
Customers today are more aware of their data privacy rights than ever. By obtaining explicit consent to collect and process a customer’s data, companies can tailor services, offers, and content to meet individual needs, whilst at the same time being respectful of user privacy and adhering to regulatory compliance
Regulatory Compliance
Different jurisdictions have different laws that mandate how personal data must be handled. The General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California are just two examples of legislation where non-compliance can risk legal penalties and reputational damage.
Consent vs Access Control
Consent gives a user the ability to authorize the scope of operation(s) an application can perform when accessing resources whilst acting on their behalf, whilst Access Control refers to the access to which something or someone is permitted. Consent and Access Control typically work hand-in-hand in a modern, secure and compliant Authorization implementation.
The Modern Age of Consent
In today’s landscape, Consent processing — leveraging OAuth 2.0 Delegated Authorization — provides B2C and B2B SaaS solution developers with the mechanism(s) they need to empower their customers when it comes to data privacy. As the digital landscape evolves, so will the role of Consent in CIAM integrations. The rise of technologies including artificial intelligence (AI), machine learning (ML), and blockchain could transform how consent is obtained and managed, and you can read more on this and other related topics in the article entitled By Consent.
Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop SSO; deploy and maintain Attack Protection; leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation; implement Passwordless, Passkeys and/or MFA, and/or optionally OAuth 2.0 for API Authorization.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack. With consumer-oriented software, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based open-source DIY solution within your existing infrastructure might provide a more cost-effective approach — delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Got questions?
Feel free to reach out!
