Auth0 Home Blog Docs

Skip user consent when using social connection

social-connections
consent

#1

I have a Single Page Application in Auth0, and I configure it to use Social Connections (Facebook) using my own login page. Is there any way I can skip Auth0’s Consent page after authorizing my Facebook app to get my Facebook information?

I did some research and it seems that the Auth0’s Consent page cannot be skipped for third party application. In this case, I don’t really have any third party application. It’s my own application configured to use social connection


#3

Hey there @matterdox!

If you’re developing a 1st party client, head to the APIs page and select your API. In the Settings you’ll see an option to Allow Skipping User Consent which you should enable.

This toggle allows skipping consent for verifiable first party clients. If your client is hosted on localhost , Auth0 has no reason to believe that it’s truly a 1st party client as the user may be maliciously (or without their knowledge) running any client on the localhost . If you want to skip the consent page during development, you can setup a mapping in your hosts file to map localhost to app.local for example.

Reference point:

Hope that helps!


#4

Hey @matterdox!

Have you managed get your stuff working based on the info I provided you above? Let me know if you need any further assistance!


#5

Hi @konrad.sopala,

Thanks for your answer, but unfortunately not yet. I don’t define our backend as API in Auth0. What I had are:

  • An Auth0 application configured to be SPA with Facebook social connections
  • An Auth0 rule that add scopes after user login
  • A standalone SPA hosted in CDN. It uses auth0-js to login with Facebook
  • A backend APi that accepts Auth0 token. The SPA talks to this backend

A new user would experience the following flow:

  • Click on Login with Facebook => a Facebook window is popped up (expected)
  • Login to Facebook from the Facebook window and authorize my app (expected)
  • Get redirected to Auth0 consent page, asking if user trusts my Auth0 application to access <my_auth0_tenant_name> (not desirable)