Skip to main content

11.1. Collection Limitation

11.1. Collection Limitation

When the client is being granted access to a protected resource containing personal data, the client SHOULD limit the collection of personal data to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s).

It is often hard for the user to find out if the personal data asked for is strictly necessary. A trusted third-party service can help the user by examining the client request, comparing it to the proposed processing by the client, and certifying the request. After the certification, the client, when making an authorization request, can submit an authorization request to the trusted third-party service to obtain the Request Object URI. This process has two steps:

(1) (Certification Process) The trusted third-party service examines the business process of the client and determines what claims they need; this is the certification process. Once the client is certified, they are issued a client credential to authenticate against to push Request Objects to the trusted third-party service to get the request_uri.

(2) (Translation Process) The client uses the client credential that it got to push the Request Object to the trusted third-party service to get the request_uri. The trusted third-party service also verifies that the Request Object is consistent with the claims that the client is eligible for, per the prior step.

Upon receiving such a Request Object URI in the authorization request, the authorization server first verifies that the authority portion of the Request Object URI is a legitimate one for the trusted third-party service. Then, the authorization server issues an HTTP GET request to the Request Object URI. Upon connecting, the authorization server MUST verify that the server identity represented in the TLS certificate is legitimate for the Request Object URI. Then, the authorization server can obtain the Request Object, which includes the client_id representing the client.

The Consent screen MUST indicate the client and SHOULD indicate that the request has been vetted by the trusted third-party service for the adherence to the collection limitation principle.

Last updated on