Allowing the OAuth 2.0 Provider to Save Consent
Requesting resource owners/end users consent to sharing their data is extremely important. However, that does not mean that your company needs to be asking for consent every time the user wants to use your services.
To provide a better user experience, Identity Cloud can store the scopes for which they have given consent in their user profile.
When the client requests a scope combination, Identity Cloud checks if the user has already consented each scope within the combination. If Identity Cloud can find the scopes across multiple saved consent entries, Identity Cloud will not require the user to consent. If part of the requested scope combination is not found in any entry, Identity Cloud will require the user to consent.
Consider an example where the user grants consent to the
read scope on a first request and to the
profile scopes on a second request. Identity Cloud will not require consent for a request for the
To request the user to provide consent even if it is already saved, add the
prompt=consent parameter to the request.
Resource owners/end users can also revoke consent provided on requests for access tokens at any given time. For more information, see "Allowing Users to Revoke Consent".
Perform the following steps to configure Identity Cloud to save consent:
Create a multi-valued string syntax attribute in your identity store to save consent entries. For example,
In the AM Admin UI, go to Realms > Realm Name > Services > OAuth 2.0 provider > Consent.
In the Saved Consent Attribute field, add the name of the attribute you created in the identity store.
Save your changes.
Identity Cloud will now save the consented scopes in the identity repository and will only request consent when it cannot find the requested scopes.