Skip to main content

Identity & Consent

Early Draft

This specification is at an early draft stage. Ideas are open for change and debate. A lot of the content was developed with the help of Claude AI.

Architecture

The identity provider is integrated as a browser-native identity layer, not as a website login widget.

Once on browser startup:
Vera -> SSO OAuth2 PKCE flow -> user authorizes -> access token (local, encrypted)

Per navigation:
Vera -> SSO token exchange -> request-specific JWT -> X-Vera-Token header

OAuth2 Flow (once, PKCE)

GET https://broker.vera.id/authorize
  ?response_type=code
  &client_id=vera-browser-official
  &redirect_uri=vera://sso/callback
  &scope=openid+vera.subscriptions+vera.consent
  &state=<random>
  &code_challenge=<PKCE>

The user grants GDPR consents once in the browser, not individually on each publisher site.

{
  "consent_scope": ["essential", "analytics", "personalization", "advertising"],
  "consent_given_at": "2025-04-04T09:00:00Z",
  "consent_version": "tcf-2.2"
}

Cross-Publisher SSO

User reads Some Publisher (logged in via Vera)
      |
      v
User clicks a Other Publisher article
      |
      v
Other Publisher server receives X-Vera-Token with aud="other-publisher.news"
      |
      v
Other Publisher recognizes active Other Publisher+ subscription in token
      |
      v
Full article, no login dialog shown

Identity & Consent