Steps of Consent Provisioning
Consumers not necessarily need their own application to initiate the consent provisioning process - read more about this in the following steps.
Step 1: Redirect your user to the Caruso Consent Portal
Forward the user to the Caruso consent portal to initiate the consent provisioning process.
We let it up to the consumers to design how they would like to onboard the user (the registered keeper). In case the consumer is in possession of the optional user data, we recommend to pass it on to Caruso upon redirection. Otherwise, the user will have the chance to provide the required information manually when giving consent in the Caruso Consent Portal. Passing more parameters will help to give your user a better experience and saves him from having to type in the information manually. However, the mandatory parameters need to be always supplied by the consumer.
Routing User to Caruso Consent Portal
https://consent.caruso-dataplace.com/provision?consumerId=<insert_your_consumerId_here>&subscriptionId=<insert_your_subscriptionId_here>&vin=<insert_vin_here>&redirectUrl=<insert_your_redirectUrl_here>&email=<insert_email_here>&firstName=<insert_firstName_here>&lastName=<insert_lastName_here>
QUERY PARAMETERS
consumerId
required
subscriptionId
required
redirectUrl
vin
firstName
lastName
The parameter redirectUrl
must only be provided if the user should be redirected to your application at the end of the consent provisioning process.
If you don’t have an application, or don’t want the user to be redirected to your application at the end, this parameter can be omitted. This case can be particularly interesting for data consumers who do not have their own application and send the link to the Caruso Consent Portal to the end user via other means such as E-Mail or SMS.
Step 2: User provides Consent in the Caruso Consent Portal
The user gets detailed information about what he or she is giving consent. The user can see all the data-items involved, the processing purpose, all the parties involved in the data flow, his or her rights according to GDPR, and all related topics. Once the user is willing to provide consent, he or she can Approve it in the Caruso Consent Portal. On success, the user will be automatically redirected to the vehicle manufacturers’ authorization server. In case the user decides to reject consent, he or she will be forwarded back to the given redirectUrl with an error code and a description.
Redirecting the User to the Application in case of declining Consent
redirectUrl?error=rejected&error_description=user%20rejected%20consent
The given user-consent to Caruso will be stored, but it will be only activated after the user successfully provides consent to the vehicle manufacturer. As a developer, you do not need to do anything technically for this step.
Step 3: Caruso redirects the User to the Vehicle Manufacturer’s Authorization Server to provide Consent
Caruso portal automatically redirects the user to the vehicle manufacturers’ portal. The user needs to use his vehicle manufacturer credentials to log in to the vehicle manufacturer’s portal. After logging in, the user can provide consent to the vehicle manufacturer. Every vehicle manufacturer will have a slightly different implementation of the consent flow, depending on their requirements. Nevertheless, the user will always be able to see for what he or she is giving consent - the data involved, the party and the purpose. As a developer, you do not need to do anything technically for this step.
Step 4: Caruso redirects the User to your Application
Once the user successfully provides consent to the vehicle manufacturer, he or she will be redirected to the Caruso platform. The Caruso platform updates the consent information accordingly and afterward, in case a redirectUrl was provided, redirects the user to your application. Caruso uses the rediectUrl that is used by you when you started the consent provisioning process and is part of your subscriptions’ redirectURLs whitelist. If you did not specify a redirectUrl in step one, the process ends here and the user receives a success message. Step 5 is optional and will be skipped in this case.
Redirecting the User to the Application
redirectUrl?code=<consent_confirmation_code>&consent_id=<consentId>
QUERY PARAMETERS
code
required
consent_id
required
Step 5: You retrieve consent information from the Caruso Platform (optional)
In case you provided a redirectUrl, the user has now been forwarded to your specified redirectUrl and you are able to retrieve detailed information about the given consent.
Your application calls the Caruso platform with the confirmation code and your API key. In response, you will receive detailed consent information.
Request: Consent Information Retrieval by the Application
POST https://portal.caruso-dataplace.com/api/consent/provisioning/confirmation/{code} HTTP/1.1
REQUEST PARAMETERS
X-API-Key
required
code
required
Response: Consent Information Retrieval by the Application
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"consentId" : "<consentId>",
"vin" : "<vin>",
"subscriptionId" : "<your_subscriptionId>",
"confirmedAt" : "<datetime_of_consent_confirmation>",
"consentGivenAt" : "<datetime_of_consent_approval>"
}
RESPONSE PARAMETERS
vin
required
subscriptionId
required
confirmedAt
required
consentGivenAt
required
In case this confirmation call fails, you will receive one of the following errors:
Http Status Code | Error Type | Description |
---|---|---|
401 |
Unauthorized | In case the API key is invalid or the partner identified by the provided API key does not match consent-process partner, a 401 Unauthorized error response is returned. |
404 |
Not Found | In case a partner does not exist for the given id, a 404 Not Found error response is returned. |
409 |
Conflict | These are the cases a 409 Conflict error response with a meaningful error message will be returned: The consent is already confirmed. The consent process is not in the required state, e.g. the VIN of the user has not been confirmed by the vehicle manufacturer yet. The consent provisioning process has timed out (state change longer than 10 minutes ago)The consent was not given to the vehicle manufacturer. |
Standard Error Model
{
"reasonCode" : "car.401",
"reasonText" : "Partner identified by provided ApiKey does not match consent-process partner.",
"url" : "/consent/provisioning/confirmation/<code>",
"method" : "POST"
}