Allowing the OAuth 2.0 Provider to Save Consent
Requesting resource owners/end users consent to sharing their data is extremely important. However, that does not mean that your company needs to be asking for consent every time the user wants to use your services.
To provide a better user experience, AM can store the scopes for which they have given consent in their user profile.
When the client requests a scope combination, AM checks if the user has already consented each scope within the combination. If AM can find the scopes across multiple saved consent entries, AM will not require the user to consent. If part of the requested scope combination is not found in any entry, AM will require the user to consent.
Consider an example where the user grants consent to the read
scope on a first request and to the email
and profile
scopes on a second request. AM will not require consent for a request for the read
and profile
scopes.
Tip
To request the user to provide consent even if it is already saved, add the prompt=consent
parameter to the request.
Resource owners/end users can also revoke consent provided on requests for access tokens at any given time. For more information, see "Allowing Users to Revoke Consent".
Perform the following steps to configure AM to save consent:
Create a multi-valued string syntax attribute in your identity store to save consent entries. For example,
oauth2Consent
.To create the attribute and configure it in AM, see "To Update the Identity Repository for the New Attribute".
Log in to the AM console with an administrative user. For example,
amAdmin
.Navigate to Realms > Realm Name > Services > OAuth 2.0 provider > Consent.
In the Saved Consent Attribute field, add the name of the attribute you created in the identity store.
Save your changes.
AM will now save the consented scopes in the identity repository and will only request consent when it cannot find the requested scopes.