Is this a feature request or bug report? other question
Hello,
Yesterday we made a change to our Auth0 configuration to skip confirmation in an API for a first party application following reading this docs page:
However, we found that we were able to leave localhost in the allowed callback URLs for the application, and still have the consent prompt skipped on our verified production URL (which is what we want).
The documentation and other comment threads on the matter appear to suggest that this shouldn’t work. E.g. Disable Authorize App dialog
Is our use here, were we leave localhost in the allowed callbacks, unsupported or is this just my misreading of the documentation?
I read the doc the same way. I would expect it won’t skip the prompt if you have LH as a registered callback URI. Is it still triggering when you run your app on LH? Let me know, I will suggest an update to the doc.
On first time login to the application, when on localhost, the consent is shown.
On first time login, when using the verified production URL, the consent is not shown.
We have both localhost and our domain set in ‘Allowed Callback URLs’.
So it seems to me that the documentation doesn’t describe the behavior we’re seeing. I’m interested to know if this is a fault in the docs or if we’re relying on an unsupported edge case.
Sorry for the delay. I needed to set some time aside to test this before requesting a review. I set it up this morning and can confirm the behavior. I’ll put in a request from the team and let you know here when I have a response.