Documentation clarification for skipping consent for first-party applications

charlie.egan · January 27, 2021, 11:35am

Which SDK this is regarding: auth0-spa-js
SDK Version: 1.13.5
Platform Version: e.g. Node 12.11.1
Code Snippets/Error Messages/Supporting Details/Screenshots:

Is this a feature request or bug report? other question

Hello,

Yesterday we made a change to our Auth0 configuration to skip confirmation in an API for a first party application following reading this docs page:

However, we found that we were able to leave localhost in the allowed callback URLs for the application, and still have the consent prompt skipped on our verified production URL (which is what we want).

The documentation and other comment threads on the matter appear to suggest that this shouldn’t work. E.g. Disable Authorize App dialog

Is our use here, were we leave localhost in the allowed callbacks, unsupported or is this just my misreading of the documentation?

dan.woda · January 27, 2021, 4:57pm

Hi @charlie.egan,

Welcome to the Community!

I read the doc the same way. I would expect it won’t skip the prompt if you have LH as a registered callback URI. Is it still triggering when you run your app on LH? Let me know, I will suggest an update to the doc.

charlie.egan · January 27, 2021, 5:16pm

Hello Dan, thank you for responding.

On first time login to the application, when on localhost, the consent is shown.

On first time login, when using the verified production URL, the consent is not shown.

We have both localhost and our domain set in ‘Allowed Callback URLs’.

So it seems to me that the documentation doesn’t describe the behavior we’re seeing. I’m interested to know if this is a fault in the docs or if we’re relying on an unsupported edge case.

charlie.egan · February 1, 2021, 10:29am

@dan.woda would you be able to clarify if it is the docs which are incorrect? (rather than this being an unsupported behaviour)

dan.woda · February 1, 2021, 6:48pm

Sorry for the delay. I needed to set some time aside to test this before requesting a review. I set it up this morning and can confirm the behavior. I’ll put in a request from the team and let you know here when I have a response.

charlie.egan · February 1, 2021, 7:04pm

Thanks Dan for taking the time to replicate our use case. Much appreciated. Let’s see what they say.

charlie.egan · February 8, 2021, 3:46pm

Hello @dan.woda, have you had a chance to look into this yet?

dan.woda · February 8, 2021, 8:42pm

Hi @charlie.egan,

I am waiting to hear back from the team. I’ll update the thread when I have a response.

charlie.egan · February 9, 2021, 1:24pm

Thanks for the update. Keep us posted.

charlie.egan · March 8, 2021, 11:59am

Hi @dan.woda - aware there’s been some company news but wondering if anyone’s had a moment to look over this yet?

We’re running this in production and keen to confirm it’s a supported configuration.

dan.woda · March 9, 2021, 5:51pm

Hi @charlie.egan,

Still waiting to hear back on this. I pinged the team again to try and nudge this forward. Thanks for your patience.

charlie.egan · March 9, 2021, 6:41pm

Hi Dan, thanks - keep us posted.