This works - however, when the user logs into Auth0 the first time (ie. when the Auth0 user doesn’t yet exist and it federates from B2C) - the user gets a consent popup…
How do I get rid of this? We want to silently migrate users over from B2C to Auth0 - this isn’t an ongoing federated identity - where one would expect a consent popup.
Thanks for the context
To help get rid of the unwanted consent screen, I have 2 questions first for you:
Is the client application requesting profile data access marked as a first-party application? To check it out, you can run this Management API call and look for the property: is_first_party.
Is the client application requesting profile data access running on localhost atm?
Yes, I’ve just tried making the management API call against my frontend application client id, and it says is_first_party is set to true.
Yes, I think so. In the login script, I’m doing the same as in the article I linked to - ie… openid {{YOUR_B2C_APP_CLIENT_ID}} offline_access profile. However, I’ve just trying removing ‘profile’ from that list of scopes - and it still does the consent prompt saying profile access is being requested.
With the client application marked as first-party (like yours), user consent is skipped by default when requesting user profile data.
When the client application runs on a local machine during development (like currently your Ec…ev client application), this user consent cannot be skipped because localhost is unverifiable and thus untrusted (so Auth0 treats it as a third party anyway).
If you would like to read more on that - here is a link to the doc.
The problem shouldn’t occur once the application is deployed.