The IdP is an enterprise SAMLP connection for a third party IdP-initiated SSO to our SPA, which then accesses our API. Because it is IdP-initiated to the SPA, there is no audience, so an opaque access token is returned. I want a JWT access token for our API, and we are using auth0-js, so I followed the advice in other posts by initializing
WebAuth with audience set to
my-api, and calling
The problem is that in development, my SPA is at localhost, so the
consent_required error is returned despite being a first party app. I don’t believe this would be a problem in other environments since I wouldn’t be using localhost. I would probably be ok if developers are prompted for consent locally rather than having to now have everyone set up a hosts file and change all configuration. But how? I am not the IdP in this scenario, so who is responsible for prompting for consent? I expected auth0-js to redirect to its own consent page, but perhaps it does not due to the user being from enterprise connection. How do I handle it?