GitLab Rails: Consent Integration with IAM Service

Based on the OAuth for Protocells design, the IAM service should integrate with GitLab Rails as the Login provider. We would like to use Hydra's Login flow as inspiration for this.

Requirements:

• Consent UI
  • Present consent form with approve/deny options
  • Display all requested scopes with clear descriptions
  • Show client application details (name, logo, owner)
  • UI should match the current Doorkeeper consent screen UI
• Consent Challenge Acceptance
  • Accept incoming redirects from IAM service with consent challenge parameter
  • Extract and validate consent challenge token from query parameters
  • Store consent challenge in session for verification callback
  • Fetch and display client information (name, logo, description)
  • Display authenticated user context
• Consent Verification Callback
  • After user approval, make verification callback to IAM service with consent challenge token in callback request
  • Include granted scopes and custom claims
  • Handle callback success/failure responses
  • Store user's consent record
  • Redirect to the URL provided in the response
• Consent Rejection
  • If user denies consent, send rejection callback to IAM service
  • Include consent challenge and error reason in rejection
  • Store user's consent rejection record
  • Clear consent challenge from session
  • Redirect user to appropriate denial confirmation page
• Security Requirements
  • Consent Challenge Validation - format matches expected pattern
  • Store consent challenge securely in session, not exposed to client
  • Verify user is authenticated before displaying consent UI
  • Verify subject from consent challenge matches currently authenticated user
  • Validate that granted scopes are subset of or equal to requested scopes
  • Generate and validate CSRF token for consent form submission
  • Bind CSRF token to consent challenge and session
  • Reject form submissions with invalid or missing CSRF token