Want to disable profile, email consent for the first party SPA app

Get Help
,
1

Ready to post? :magnifying_glass_tilted_left: First, try searching for your answer.resource “auth0_resource_server”
For a tenant - Dev tenant, the following is the api and app terraform configuration. when I login using the frontend_app(SPA - RBAC enabled), I keep getting the consent message - ’ Frontend App is requesting access to your Dev Tenant account. * Profile: access to your profile and email’ . I have skip_consent_for_verifiable_first_party_clients is set to true on api , is_first_party = true in the app, and all the scopes of api allowed in app including profile, email, openId etc. I want to remove that consent message in the flow.

resource “auth0_resource_server” “backend_api” {
name = “Backend API”
identifier = var.backend_identifier
signing_alg = “RS256”
token_dialect = “access_token”
enforce_policies = true
skip_consent_for_verifiable_first_party_clients = true
token_lifetime = 900
token_lifetime_for_web = 900
}

resource “auth0_resource_server_scopes” “backend_api_scopes” {
resource_server_identifier = var.backend_identifier
depends_on = [auth0_resource_server.backend_api]
scopes {
name = “read:all”
description = “Read all information”
}
scopes {
name = “write:all”
description = “Write all information”
}
scopes {
name = “delete:all”
description = “Delete all information”
}
}

resource “auth0_client” “frontend_app” {
name = “Frontend App”
app_type = “spa”
oidc_conformant = true
is_first_party = true

callbacks = var.frontend_callback
allowed_logout_urls = var.frontend_logout_urls
web_origins = var.frontend_web_origins

grant_types = [
“authorization_code”,
“implicit”,
“refresh_token”
]

jwt_configuration {
alg = “RS256”
lifetime_in_seconds = 36000 # 15 mins
scopes = { }
secret_encoded = false
}
cross_origin_auth = true

refresh_token {
expiration_type = “expiring”
infinite_idle_token_lifetime = true
infinite_token_lifetime = false
rotation_type = “rotating”
token_lifetime = 172800 # 2 days
}
}

resource “auth0_client_grant” “frontend_app_management” {
client_id = auth0_client.frontend_app.client_id
audience = var.backend_identifier
scopes = [
“profile”,
“email”,
“openid”,
“read:all”,
“write:all”,
“delete:all”
]
}

2

Hi @varun.r

Welcome to the Auth0 Community!

If you have enabled skip_consent_for_verifiable_first_party_clients is set to true and you application is set is_first_party = true, can you verify if you don’t have the localhost in any form in your application Allowed Callback URLs? You can read more about that here → User Consent and Third-Party Applications

Thanks
Dawid

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.