SPA Implicit Grant: Suppress Consent Page

We have a hybrid app that will be deployed to mobile and as a web app. For native we plan to do the PKCE (via the new cordova plugin). For web we planned on doing the implicit grant.

Upon implementing I found out the implicit grant shows a nasty consent page after login. We own the data and the app here (no 3rd party). Asking the user to give consent is pretty strange in our world.

We want to do the SPA authentication properly, which I thought involved the implicit grant. Is this accurate? If so, can we do that and somehow suppress the consent page?

We want to do the SPA authentication properly, which I thought involved the implicit grant. Is this accurate?

Yes, that’s correct. The Implicit Grant is suitable for SPAs.

If so, can we do that and somehow suppress the consent page?

Please have a look at this answer: How do I skip the consent page for my API Authorization flow?

Thanks @fady ! So is it accurate to say I need to:

  1. Create an API entity (with “allow skipping user consent” set to true)
  2. Use that API as the audience in my authentication request
  3. Make sure I’m not running as localhost

And then I should get what I’m looking for? Would I still have access to call things like /userinfo with this approach?

And then I should get what I’m looking for?

That’s right! :slight_smile:

Would I still have access to call things like /userinfo with this approach?

Yes you will. Just be sure to include the openid scope.

Hi @fady - quick question on this. Once I switched my audience to my custom Auth0 API I can no longer access the /userinfo endpoint. I do have openid in my scope as you suggested, and I’m using the access token that comes back as my bearer. I get an invalid token response with the detail below.

The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens

Do I need to have multiple URL’s in my audience? I tried to set my API’s signing algorithm to RS256 but that looks to be disabled. My token request is below

POST /oauth/token HTTP/1.1
Host: atsinc.auth0.com
Content-Type: application/json
Accept: */*

{"realm":"Username-Password-Authentication","audience":"https://my.api.here","client_id":"my_clientid","scope":"openid profile last_password_reset","grant_type":"http://auth0.com/oauth/grant-type/password-realm","username":"my_user","password":"my_pw"}

Hi @fady - One more update on this. I updated my client and created a new API that are both RS256. Seems like this gets past the error above, but still results in below when trying to hit /userinfo with these OIDC conforming access tokens. Do I somehow need to have 2 audiences in the token request? One for my backend API and one for /userinfo?

{"error":"unauthorized","error_description":"invalid credentials"}

Nevermind! This config had an error in the scope, using commas in place of spaces for delimiters.

Summary: this works as long as the API is set up with RS256 signing (my client has the same).