AM 7.2.2

Manage consent

Many of the OAuth 2.0/OpenID Connect flows require the user to explicitly agree to provide the client with access to their resources. This act of trust is one of the pillars of OAuth 2.0 and OpenID Connect.

Users grant consent based on scopes. In OAuth 2.0, scopes are a concept that limits the information to share with the client or the actions the client can do with the user’s data. In OpenID Connect, scopes can be mapped to specific user data, too. For example, AM maps the profile scope to a number of user profile attributes.

AM has built-in consent pages in its UI, but you can hand off the consent-gathering part of the flow to a separate service by configuring the Remote consent.

By default, scopes are not configured to display in the consent pages. You can either disable the consent pages, or manually add scopes for display in the OAuth 2.0 provider configuration.

For OpenID Connect, customize claims for display in the provider configuration or at the client level.

AM let clients store the scopes to which the user has given consent to improve user experience. This is useful, for example, to minimize customer interaction. In the same way, AM let users revoke consent at any point in time.

In some circumstances, however, clients may need a mechanism to skip consent altogether; for example, for trusted application-to-application or service-to-service interaction.

Copyright © 2010-2024 ForgeRock, all rights reserved.