Search code examples
auth0

Auth0 asks for consent to access tenent when logging in

I am developing an Angular2 app which uses auth0 for authentication. I used the auth0 lock widget to authenticate users.

Now, I want to use auth0-js instead of the lock widget for authentication. I followed this guide to add auth0-js to the app.

After adding auth-js, when a new user tries to log in to the app, Auth0 displays following consent screen to the user.

enter image description here

I want the users to be able to directly access my app, without needing to accept a consent screen. The consent question asked in this dialog can be confusing to users since it mentions about tenants.

When I searched for a solution, the solution mentioned in various places was to make the client a first party client. But, I cannot find any place in the management console to make the client a first party client.

How can I disable this consent screen?

Following is the auth-js config I used in the app.

auth0 = new auth0.WebAuth({
    clientID: 'my_client_id',
    domain: 'my_domain.auth0.com',
    responseType: 'token id_token',
    audience: 'https://my_domain.auth0.com/userinfo',
    redirectUri: window.location.origin + '/auth_loading',
    scope: 'openid'
});
Solution

  • In Auth0 Dashboard, under APIs -> Auth0 Management API -> Settings (tab)

    enter image description here

    If you are using a specific audience for a Resource API you have defined yourself in the Dashboard, then there is a similar Allow Skipping User Consent toggle for that particuar API. Use that. audience specifies the target API for your access token. If you don't want to call a specific API, keep it set to https://my_domain.auth0.com/userinfo

    Re. question about First Party. If you created your client in the Auth0 Dashboard, then it is Firsty Party by default. Only first-party clients can skip the consent dialog, assuming the resource server they are trying to access on behalf of the user has the "Allow Skipping User Consent" option enabled. The Auth0 Dashboard does not offer a flag for this, but if you use the Auth0 Management API v2 Get Clients endpoint, then you will see the flag (boolean) value listed for your client eg.

    "is_first_party": true

    See https://auth0.com/docs/api/management/v2#!/Clients/get_clients for details.

    Finally, please note the following: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients - in particular note that consent cannot be skipped on localhost. As per the docs (link above), During development, you can work around this by modifying your /etc/hosts file (which is supported on Windows as well as Unix-based OS's) to add an entry such as the following:

    127.0.0.1       myapp.dev