OpenConext · Badlapje · May 11, 2021 · May 3, 2022 · Mar 6, 2026 · Mar 25, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,12 @@ Changes:
   * The `0000-00-00 00:00:00` is added for clarity/consistency, as this is probably the default behaviour of your database already.
 * Removed unused index `consent.deleted_at`. Delete this from your production database if it's there.
 
+* Stabilized consent checks
+  * In order to make the consent hashes more robust, a more consistent way of hashing the user attributes has been introduced
+  * This feature automatically migrates from the old hashes to the new hashes, cleaning up the old hash.
+  * However, if blue/green deployments are used or if you want to keep the option open to roll back the EB release, keep the `feature_stable_consent_hash_migration` set to false in order to preserve the old consent hashes.
+  * Once the new release is fully rolled out, set `feature_stable_consent_hash_migration` to true. This will clean up the old consent hashes upon login. In the next EB release, the old consent hash column will be deleted.
+
 ## 7.1.0
 SRAM integration
 

diff --git a/config/packages/engineblock_features.yaml b/config/packages/engineblock_features.yaml
@@ -16,3 +16,4 @@ parameters:
         eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
         eb.stepup.send_user_attributes: "%feature_stepup_send_user_attributes%"
         eb.feature_enable_sram_interrupt: "%feature_enable_sram_interrupt%"
+        eb.stable_consent_hash_migration: "%feature_stable_consent_hash_migration%"
diff --git a/config/packages/parameters.yml.dist b/config/packages/parameters.yml.dist
@@ -227,6 +227,7 @@ parameters:
     feature_stepup_sfo_override_engine_entityid: false
     feature_stepup_send_user_attributes: false
     feature_enable_sram_interrupt: false
+    feature_stable_consent_hash_migration: false
 
     ##########################################################################################
     ## PROFILE SETTINGS

diff --git a/config/services/ci/services.yml b/config/services/ci/services.yml
@@ -66,6 +66,12 @@ services:
         arguments:
             - "@engineblock.functional_testing.data_store.sbs_client_state_mananger"
 
+    engineblock.compat.corto_model_consent_factory:
+        class: EngineBlock_Corto_Model_Consent_Factory
+        arguments:
+            - "@engineblock.service.consent.ConsentHashService"
+            - "@engineblock.functional_testing.fixture.features"
+
     #endregion Fixtures
 
     #region Data Stores

diff --git a/config/services/compat.yml b/config/services/compat.yml
@@ -49,8 +49,8 @@ services:
     engineblock.compat.corto_model_consent_factory:
         class: EngineBlock_Corto_Model_Consent_Factory
         arguments:
-            - "@engineblock.compat.corto_filter_command_factory"
-            - "@engineblock.compat.database_connection_factory"
+            - "@engineblock.service.consent.ConsentHashService"
+            - "@OpenConext\\EngineBlockBundle\\Configuration\\FeatureConfiguration"
 
     engineblock.compat.saml2_id_generator:
         public: true

diff --git a/config/services/controllers/api.yml b/config/services/controllers/api.yml
@@ -16,7 +16,7 @@ services:
             - '@security.token_storage'
             - '@security.access.decision_manager'
             - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
-            - '@OpenConext\EngineBlock\Service\ConsentService'
+            - '@OpenConext\EngineBlock\Service\Consent\ConsentService'
 
     OpenConext\EngineBlockBundle\Controller\Api\DeprovisionController:
         arguments:

diff --git a/config/services/services.yml b/config/services/services.yml
@@ -74,7 +74,14 @@ services:
             - '@OpenConext\EngineBlock\Metadata\LoaRepository'
             - '@logger'
 
-    OpenConext\EngineBlock\Service\ConsentService:
+    engineblock.service.consent.ConsentHashService:
+        class: OpenConext\EngineBlock\Service\Consent\ConsentHashService
+        public: false
+        arguments:
+            - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
+            - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
+
+    OpenConext\EngineBlock\Service\Consent\ConsentService:
         arguments:
             - '@OpenConext\EngineBlockBundle\Authentication\Repository\DbalConsentRepository'
             - '@OpenConext\EngineBlock\Service\MetadataService'

diff --git a/library/EngineBlock/Application/DiContainer.php b/library/EngineBlock/Application/DiContainer.php
@@ -161,11 +161,11 @@ public function getAuthenticationLoopGuard()
     }
 
     /**
-     * @return OpenConext\EngineBlock\Service\ConsentService
+     * @return OpenConext\EngineBlock\Service\Consent\ConsentService
      */
     public function getConsentService()
     {
-        return $this->container->get(\OpenConext\EngineBlock\Service\ConsentService::class);
+        return $this->container->get(\OpenConext\EngineBlock\Service\Consent\ConsentService::class);
     }
 
     /**