Identity Cloud

Configure AM to save consent

Requesting the consent of resource owners and end users to share their data is extremely important; however, your company does not need to request consent every time a user wants to use your services.

To provide a better user experience, AM can store the scopes for which a user has given consent in their user profile.

When the client requests a scope combination, AM checks if the user has already consented each scope within the combination. If AM finds the scopes across multiple saved consent entries, the user is not asked to consent. If part of the requested scope combination is not found in any entry, the user is asked to consent.

Consider an example where the user grants consent to the read scope on a first request and to the email and profile scopes on a second request. AM will not require consent for a request for the read and profile scopes.

To request the user to provide consent even if consent has been saved, add the prompt=consent parameter to the request.

Resource owners and end users can revoke the consent they have given on requests for access tokens at any time. For details, refer to Let users revoke consent.

Follow these steps to configure AM to save consent:

  1. Add an attribute to user profiles to save consent entries. The attribute must be of type array and have a name that beings with custom_; for example, custom_consent.

    For information on adding attributes to the Identity Cloud schema, refer to Extend user identities in the Identity Cloud documentation.

  2. In the AM admin UI, go to Realms > Realm Name > Services > OAuth 2.0 provider > Consent.

  3. In the Saved Consent Attribute field, add the name of the attribute you created.

  4. Save your changes.

    AM saves the consented scopes in the identity repository and only requests consent when it cannot find the requested scopes.

Copyright © 2010-2022 ForgeRock, all rights reserved.