An updated version of this article has been published here.
Now that the High Mobility platform offers access to personalised data from connected cars, we thought it would be useful for third-party services and application developers to understand how the authorisation flow looks from the driver’s perspective. In this post we will demonstrate the car owner’s perspective of the consent flow so you know exactly what your users will see.
User consent
Whether your application is offering pay-as-you-drive insurance, or charging services, each car owner must consent to the application’s access to — and use of — the relevant data. Though consumers are accustomed to sharing all kinds of data from their phones, authorising access to vehicle data is a new and sensitive topic — which is why we have designed our consent flow and data-handling to be secure, transparent and fully GDPR-compliant. (Should a car owner no longer wish to share their data, they can revoke permission at any time, either in the application or in their car maker’s owner portal). Throughout the authorisation process, we have taken extra care to make it very clear what data has been requested, by whom and for what purpose. The process should look familiar to anyone who has used OAuth 2.0 to log in to an online service.
The application developer simply implements the OAuth flow with High Mobility, and our platform manages every step of the authentication process with the relevant automaker.
User starts journey from third-party app (sample)
When user indicates that he or she would like to sign up for a connected car service, they will see a page similar to the one below. In this case, a “LINK A NEW VEHICLE” button takes them to a link generated by the service, which will initiate the OAuth flow. (This login link is composed of the redirect_uri, client_id, and other parameters which are associated with the service’s account on High Mobility).
The user is redirected to High Mobility and selects relevant car maker from dropdown menu
Here, the user selects his or her car maker from a list of supported car brands.
From this point on, the consent flow differs slightly according to car maker. First, we will show the BMW flow.
The consent flow for BMW vehicles
User reads and accepts third party app’s permission request
Before being redirected to the BMW ConnectedDrive portal, the user is shown which permissions the application has requested and is shown the app’s Terms of Use and Privacy Policy.
In this step and in the following steps, if the user selects “Decline”, a confirmation modal will ask the user to confirm their decision. If they confirm that they would like to stop the signup process, they will be redirected back to the app.
User accepts High Mobility's terms and privacy policy
The user is presented with and agrees to High Mobility's terms and conditions and privacy policy.
User is prompted to enter their vehicle’s VIN
This is the step in the flow where the vehicle is first known. The user is prompted to enter the VIN, which enables BMW to identify the owner and contact him or her by email in the next steps to request access to his or her vehicle’s data.
The user is directed back to the application. BMW requests consent via email and waits for the customer to consent to the sharing of vehicle data
Once BMW knows the VIN of the customer’s vehicle, they send an email to the customer informing him or her that an application has requested access to certain data points, and inviting him or her to log into the ConnectedDrive portal and consent to the sharing of data with the third party app.
At the same time, the user is directed back to the application, which will show a status of “Pending” until the user has approved the request inside the ConnectedDrive portal.
After following the link in the consent email, the user arrives at BMW’s ConnectedDrive portal and consents to sharing his car data
In the portal, the car owner can approve the request, as well as see all approved requests. In the portal, the car owner can also see — and has the option to revoke — any permissions which he or she had previously granted to other applications.
The user is directed back to the application, which now has access to the requested data
Once approved, the application can use High Mobility's Auto API to get live vehicle data.
The Consent flow for Mercedes-Benz vehicles
Although the basic idea is the same, the consent flow for a Mercedes-Benz owner to share his or her vehicle data differs slightly from that of BMW.
The first two steps are identical
In the first steps, the user is redirected from the application to High Mobility, and he or she selects his car maker.
User reads and accepts third-party app’s permission request
Before being redirected to the Mercedes-Benz portal, the user is shown which permissions the application has requested, and is shown the app’s Terms of Use and Privacy Policy.
In this step and in the following steps, if the user selects “Decline”, a confirmation modal will ask the user to confirm their decision. If they confirm that they would like to stop the signup process, they will be redirected back to the app.
User accepts High Mobility's terms and privacy policy
In the next step, the user sees and agrees to High Mobility's terms of service and privacy policy.
User is prompted to enter their vehicle’s VIN
Before being redirected to the Mercedes-Benz portal, the user is prompted to enter his vehicle’s VIN, which will be used in the API requests between High Mobility and Mercedes-Benz. High Mobility will store the VINs to simplify linking of additional third party apps. If the user clicks “Cancel”, he or she will be redirected to the app.
User is redirected to — and logs in to — the Mercedes Me portal
User is shown requested permissions and consents related to the sharing of data
In the Mercedes me portal, the user is again shown which use case and data bucket the application is requesting, and approves the request.
The user is directed back to the application, which now has access to the requested data
This is the final step in the authorisation process for Mercedes-Benz vehicles. The application gets an authorisation code which can be exchanged for an access token, which is used to access vehicle data via the API.
We hope you’ve found this rundown of the user’s view of the authorisation process useful as you begin working with personalised car data. Although the exact flows differ slightly between manufacturers, the differences are always transparent to developers. Irrespective of which car maker you choose to work with, the application sends the user toto start the authorisation process. When he or she completes the authorisation process, the application will receive an authorisation code.