Access Management 7.2.2

Configure AM to save consent

Requesting resource owners/end users consent to sharing their data is extremely important. However, that does not mean that your company needs to be asking for consent every time the user wants to use your services.

To provide a better user experience, AM can store the scopes for which they have given consent in their user profile.

When the client requests a scope combination, AM checks if the user has already consented each scope within the combination. If AM can find the scopes across multiple saved consent entries, AM will not require the user to consent. If part of the requested scope combination is not found in any entry, AM will require the user to consent.

Consider an example where the user grants consent to the read scope on a first request and to the email and profile scopes on a second request. AM will not require consent for a request for the read and profile scopes.

To request the user to provide consent even if it is already saved, add the prompt=consent parameter to the request.

Resource owners/end users can also revoke consent provided on requests for access tokens at any given time. For more information, see Let users revoke consent.

Perform the following steps to configure AM to save consent:

  1. Create a multi-valued string syntax attribute in your identity store to save consent entries.

    For example, oauth2Consent.

    To create the attribute and configure it in AM, see Update the identity repository for the new attribute.

  2. In the AM admin UI, go to Realms > Realm Name > Services > OAuth 2.0 Provider > Consent.

  3. In the Saved Consent Attribute field, add the name of the attribute you created in the identity store.

  4. Save your changes.

    AM will now save the consented scopes in the identity repository and will only request consent when it cannot find the requested scopes.

Copyright © 2010-2024 ForgeRock, all rights reserved.