Auth0 Home Blog Docs

Consent for regular web client against Auth0

oauth
consent

#1

Hi.

I have a website that consists of many different web applications. I would like my users to give consent to the different clients(web-applications) that use OAuth2 against Auth0. So the clients are a mix of 3 party and 1 party clients but I want my users to give consent to all the clients when jumping around the site. But I cant seem to grasp the concept of this consent page. The only place I have found it is when doing social login where facebook would promt you or via the new beta feature under API’s.

Is it not possible for at client to start an authentication flow with Auth0, use scopes and let Auth0 as the user for the consent?

Thanks


#2

The default Auth0 consent screen will be shown when a third-party client performs user authentication in order to inform the user the application will have access to their available user information. This does not happen for first-party clients as in general these applications will be associated with the user identity itself and it would not make sense to display the consent screen by default.

For example, consider a user that goes to a web application (the first-party client) that delegated authentication to Auth0 and signs up to that service using username/password credentials. In most situations, showing consent for this situation would be overkill because the end-user already considers that the application will have access to their user information given they performed the sign up through the application itself.

This means that for first-party applications the consent screen will not be shown by default unless the application explicitly specifies an API that is configured to request consent even for first-party clients. The side-effect of this is that if you want to show the consent screen even for a first-party application you can do so by configuring an associated API and use it in the authentication request (even if the API does not really exists, this would allow you to force the consent screen to be displayed).

Have in mind that currently the consent screen cannot be customized, this is something we already have in our backlog, but there’s not a definitive ETA for the availability of this functionality.


#3

Hi @jmangelo

Thanks for your reply. I succeeded with your described solution though it does not work great if you need to do a custom UI login form and need to customize the consent screen. Do you have any idea what quarter the functionality is due to be deployed? Q3/Q4 this year?

Best regards
Ronnie


#4

Hi @jmangelo

Thanks for your reply. I succeeded with your described solution though it does not work great if you need to do a custom UI login form and need to customize the consent screen. Do you have any idea what quarter the functionality is due to be deployed? Q3/Q4 this year?

Best regards
Ronnie


#5

Based on the information I have I can only say that the feature is planned to be implemented. Your suggested timeline is not unfeasible, but things change so rapidly in software development that me saying any concrete date would just result in the feature being available sooner and no one caring about what I said or the feature being available at a later date and everyone complaining that I created false expectations.


#6